Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Anything malicious in this HJT file?

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Anything malicious in this HJT file?

Unread postby Towel » December 3rd, 2005, 3:48 am

Hello guys. I'm just posting to see if there is anything wrong with my computer. I don't really see any visible problems but to be on the safe side, I thought it would be good to get a HJT file. So here is my file:


Logfile of HijackThis v1.99.1
Scan saved at 11:46:36 PM, on 12/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\HDAudPropShortcut.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\My Documents\Virus\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am
Advertisement
Register to Remove

Unread postby amateur » December 3rd, 2005, 10:29 am

Hi Towel, :)

I'll gladly take a look at you log, but researching each item takes quite a lot of time. So, please be patient. I'll get back to you as soon as I am able.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby amateur » December 3rd, 2005, 1:03 pm

Hi Towel, :)

Welcome to MRU. You are correct that there is nothing serious with your computer. However, I noticed that you don't have Windows XP Service Pack 2. Is there any particular reason why you chose not to update? I would strongly recommend that you visit Microsoft's Windows Update. If there are new updates to install, install them immediately.

========================

You are also using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 5.0 Update 6 .

To check your version to see if it is the latest version, Please go to this link to verify your version to get the updates needed:

You'll need to use IE and allow ActiveX for this update. Follow the instructions on that page to verify Your Java software.

Or you can get the manual download here:

Once you have installed the latest update, please go to Add/Remove Programs and remove all older instances of Java listed there.

==========================

Weatherbug, which does meet the definition for ‘parasite’: unsolicited commercial software. However, it is nonetheless listed as a borderline case because it is not overtly harmful and many people do install it deliberately. It bundles the MySearch parasite in its standalone distribution and has in the past, installed Gator and SVAPlayer. So, I would recommend that you uninstall it. In order to avoid future problems with Weatherbug, make sure the program is not running before uninstalling it. If there is a WeatherBug icon in the system tray (in the lower right hand corner of the screen) you'll need to right-click on it and choose "Exit WeatherBug" or "Terminate Weatherbug".
Click on Start, Control Panel, click on Add/Remove Programs
Look through the installed programs for the following items and remove them if present:

WeatherBug
My Search


During the uninstall process, you might be presented with several prompts to guide you through uninstalling the product. Read these carefully to make sure you are actually choosing to uninstall rather than keep the software. I am going to include weatherbug in my HJT fix in orange color. If you've uninstalled it, please put a checkmark against it in the HijackThis.

Now, please run HijackThis again. Put a check against the following entries. Close all other windows except HJT.


O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)


Click on "Fix checked" button and exit HijackThis.

===========================

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
"
    Temporary Internet Files
    " Downloaded Program Files
    " Recycle Bin
    " Temporary Files


Click OK or Enter

===========================

Run an online scan at Panda's ActiveScan and perform a full system scan.
" Once you are on the Panda site click the Scan your PC button.
" A new window will open...click the big Check Now button.
" Enter your Country.
" Enter your State/Province.
" Enter your e-mail address.
" Select either Home User or Company.
" Click the big Scan Now button.
" Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
" Click on Local Disks to start the scan.
Upon scan completion, if anything malicious is detected, click See Report, then click Save Report and save it to your Desktop.

======================

Reboot your computer.

Run HijackThis again and post the new HJT log and the Panda report please to make sure that everything is OK.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby Towel » December 4th, 2005, 3:07 pm

Thanks for your help. The reason why I don't have service pack 2 is because every time I try to update my service pack at http://www.microsoft.com, I always get an error that crashes and closes all my browsers. Here is my scan report from Panda:



Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-37951a11-64e08b5f.zip[Gummy.class]
Virus:Trj/Downloader.GLH Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-37951a11-64e08b5f.zip[web.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-272.dll
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-329.dll
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-413.dll
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-487.dll
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-659.dll
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-916.dll
Adware:Adware/Beginto Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050412-193141-120.dll
Adware:Adware/WUpd Not disinfected C:\Program Files\Media Pass\MediaPassK.exe.tcf
Adware:Adware/Pacimedia Not disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/BookedSpace Not disinfected C:\WINDOWS\akbqhjvd.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Buddy.exe
Adware:adware/portalscan Not disinfected C:\WINDOWS\bundles\AdSmartMedia_bundle.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\WINDOWS\bundles\SSK_B5.EXE
Adware:Adware/PortalScan Not disinfected C:\WINDOWS\Helper101.dll
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\farmmext.inf
Adware:adware/isearch Not disinfected C:\WINDOWS\system32\246765-ventura-hot.exe
Adware:Adware/AlwaysupdatednewsNot disinfected C:\WINDOWS\system32\adlinstallwin32.exe
Adware:Adware/BookedSpace Not disinfected C:\WINDOWS\system32\bs51-eginwl51-vb.exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\Cache\em_d.exe
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\Cache\installer_MARKETING17.exe
Adware:adware/searchtheweb Not disinfected C:\WINDOWS\system32\Cache\mswinstall.exe
Adware:Adware/ISearch Not disinfected C:\WINDOWS\system32\Cache\MTE1NTA6ODoxMg.exe
Adware:Adware/nCase Not disinfected C:\WINDOWS\system32\Cache\pop.exe
Spyware:Spyware/ShhhToolbar Not disinfected C:\WINDOWS\system32\Cache\runsearch.exe
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\system32\Cache\videoinst.exe
Adware:adware program Not disinfected C:\WINDOWS\system32\data.~
Spyware:Spyware/Apropos Not disinfected C:\WINDOWS\system32\dsouclt1.exe
Adware:Adware/DealHelper Not disinfected C:\WINDOWS\system32\Ewumav.exe
Virus:Trj/Agent.AJK Not disinfected C:\WINDOWS\system32\gebya.dll
Adware:Adware/DealHelper Not disinfected C:\WINDOWS\system32\HookPopup.dll
Adware:adware/exact.bargainbuddyNot disinfected C:\WINDOWS\system32\javex80.vxd
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\system32\javex80.vxd[nvms.dll]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\system32\javex80.vxd[nls.exe]
Adware:Adware/eZula Not disinfected C:\WINDOWS\system32\psis80ex.ax[mscb.dll]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_auto_wider.swf]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_click_wider.swf]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome1.swf]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome.html]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[icon.gif]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[logo.gif]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[cashback.exe]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[cb.exe]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[flash.exe]
Adware:Adware/DealHelper Not disinfected C:\WINDOWS\system32\Qytpao.exe
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\system32\xlvdbf.exe.tcf ============================

My HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:06:54 AM, on 12/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\HDAudPropShortcut.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Documents\Virus\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638371625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638357093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Unread postby amateur » December 4th, 2005, 4:35 pm

Hello Towel, :)

For the problem :( you are having with the downloading of SP2, here is a link to read. I believe you can also contact Microsoft and request the Service Pack in a CD.

Please download the following programs, update them and run them following the instructions below:

Ccleaner

o Double click on the file to start the installation of the program.
o Select your language and click OK, then next.
o Read the license agreement and click I Agree.
o Click next to use the default install location. Click Install then finish to complete installation.

o Double click the CCleaner shortcut on the desktop to start the program.
o On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
o If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
o Click on "Options" at the top of the window, then click on the advanced" button.
deselect "Only delete files in Windows Temp folders older than 48 hours." Click on "OK."
o Click Run Cleaner to run the program.
o Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
o After CCleaner has completed its process, click Exit.

Adaware SE1R77

1) Run Ad-Aware, and click Check for updates now.

2) Select Configurations (click the Gear wheel at the top) as follows:

  • General Button > Safety & Settings: Check (Green) all three.
  • Tweak Button > Cleaning Engine > UNcheck "Always try to unload modules before deletion".

Click Proceed. Do not run it yet

Spybot S & D

In the Menu Bar at the top of the Spybot window you will see 'Mode'. Make certain that 'default mode' has a check mark beside it.
Close ALL windows except Spybot S&D
Click the button to 'Search for Updates' then download and install the Updates.
Click on "immunize" button to complete the update. Do not run it yet.

Ewido Security Suit

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful") Do not run it yet.

----------------------------------------------------------------

Now go to Control Panel > Java or Java Plugin> General tab>Temporary Internet Files > Delete Files
Checkmark all 3 options and click OK.

Empty the Recycle Bin.

---------------------------------------------------------------

Reboot your computer in Safe Mode using the F8 method below. Look in here for more information.
If the computer is running, shut down Windows, and then turn off the power.
Wait 30 seconds, and then turn the computer on.
Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
Ensure that the Safe Mode option is selected.
Press Enter. The computer then begins to start in Safe mode.

Run Ewido Security Suit

Click on the Scanner button in the left menu, then click on Settings, and under "What to scan?", select "Every file" then click ok.
Then click on Complete System Scan. This scan can take quite a while to run.

If during your scan Ewido "crashes" or "hangs", please try scanning again. Before running the scan, click on 'Scanner' (the 3rd bar from the top on the left) and Choose 'Settings'. Uncheck 'Scan in NTFS Alternate Data Streams' as this can cause problems in overly infected systems. Click 'OK' and then follow the instructions

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. Do Not reboot yet.

Run Spybot S & D

Next click the button 'Check for Problems'
When Spybot is complete, it will be showing RED entries, BLACK entries and GREEN entries in the window.
Make sure that there is a check mark beside all of the RED entries ONLY.
Choose Fix Selected Problems and allow Spybot to fix the RED entries.

If it has trouble removing any spyware, you will get a message window, asking if it would be ok to run Spybot - S&D on the next reboot before any other applications start running. You should reply Yes to this. The next time you start Windows, Spybot will run automatically and fix any of the programs it could not fix previously.

At this point you will be presented with the list of found entries again, but now there will be large green checkmarks next to the items that Spybot - S&D was able to remove. The ones that are still checked but do not have the large green checkmark next to them will be fixed on the next reboot of windows. Do not reboot yet.

Run Adaware SE

To start the scan, Click > "Scan Now" at left

  • Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
  • Select "Search for low-risk threats"
  • Select "Perform full system scan"
  • Click Next
When the scan has completed, select Next.

  • In the Scanning Results window, select the "Critical Objects" tab.
  • Right-click on the screen and choose "Select all objects"
  • Click Next to remove the infections found, and click OK to the prompt.
  • Restart the computer.

---------------------------------------
Reboot in Normal Mode to complete the scan and clear memory.

Run Ccleaner

Click on Options, Select Advanced Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
Make sure the Cleaner block on the left is selected. (Do not use the "Issues" block) Choose the Windows tab.
Check everything EXCEPT cookies, the Autocomplete Form History and the Advanced part of the Menu.
Choose Run Cleaner. This process could take a while.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.

And now run the online scan at Panda again.

Post a new HijackThis log, the Ewido report and the result of the Panda Online scan.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby Towel » December 6th, 2005, 11:28 pm

Here are my new logs:

Logfile of HijackThis v1.99.1
Scan saved at 7:24:27 PM, on 12/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\HDAudPropShortcut.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\My Documents\Virus\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Documents\Virus\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638371625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638357093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\My Documents\Virus\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

========================

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:09:48 PM, 12/5/2005
+ Report-Checksum: 91CC68F9

+ Scan result:

C:\WINDOWS\system32\javex80.vxd/C:/WINDOWS/System32/nvms.dll -> Spyware.BargainBuddy : Ignored
C:\WINDOWS\system32\javex80.vxd/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.BargainBuddy : Ignored
C:\WINDOWS\system32\psis80ex.ax/C:/WINDOWS/System32/mscb.dll -> Spyware.BargainBuddy : Ignored
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack : Ignored
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack : Ignored


::Report End

==============
Panda Scan:



Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-37951a11-64e08b5f.zip[Gummy.class]
Virus:Trj/Downloader.GLH Not disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-37951a11-64e08b5f.zip[web.exe]
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-272.dll
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-329.dll
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-413.dll
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-487.dll
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-659.dll
Spyware:Spyware/ClearSearch Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050313-194814-916.dll
Adware:Adware/Beginto Not disinfected C:\My Documents\Virus\hijack\backups\backup-20050412-193141-120.dll
Adware:Adware/WUpd Not disinfected C:\Program Files\Media Pass\MediaPassK.exe.tcf
Adware:Adware/Pacimedia Not disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Adware:Adware/BookedSpace Not disinfected C:\WINDOWS\akbqhjvd.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\Buddy.exe
Adware:adware/portalscan Not disinfected C:\WINDOWS\bundles\AdSmartMedia_bundle.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\WINDOWS\bundles\SSK_B5.EXE
Adware:Adware/PortalScan Not disinfected C:\WINDOWS\Helper101.dll
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\farmmext.inf
Adware:adware/isearch Not disinfected C:\WINDOWS\system32\246765-ventura-hot.exe
Adware:Adware/AlwaysupdatednewsNot disinfected C:\WINDOWS\system32\adlinstallwin32.exe
Adware:Adware/BookedSpace Not disinfected C:\WINDOWS\system32\bs51-eginwl51-vb.exe
Adware:Adware/IST.ISTBar Not disinfected C:\WINDOWS\system32\Cache\em_d.exe
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\Cache\installer_MARKETING17.exe
Adware:adware/searchtheweb Not disinfected C:\WINDOWS\system32\Cache\mswinstall.exe
Adware:Adware/ISearch Not disinfected C:\WINDOWS\system32\Cache\MTE1NTA6ODoxMg.exe
Adware:Adware/nCase Not disinfected C:\WINDOWS\system32\Cache\pop.exe
Spyware:Spyware/ShhhToolbar Not disinfected C:\WINDOWS\system32\Cache\runsearch.exe
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\system32\Cache\videoinst.exe
Adware:adware program Not disinfected C:\WINDOWS\system32\data.~
Spyware:Spyware/Apropos Not disinfected C:\WINDOWS\system32\dsouclt1.exe
Adware:Adware/DealHelper Not disinfected C:\WINDOWS\system32\Ewumav.exe
Virus:Trj/Agent.AJK Not disinfected C:\WINDOWS\system32\gebya.dll
Adware:Adware/DealHelper Not disinfected C:\WINDOWS\system32\HookPopup.dll
Adware:adware/exact.bargainbuddyNot disinfected C:\WINDOWS\system32\javex80.vxd
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\system32\javex80.vxd[nvms.dll]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\system32\javex80.vxd[nls.exe]
Adware:Adware/eZula Not disinfected C:\WINDOWS\system32\psis80ex.ax[mscb.dll]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_auto_wider.swf]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_click_wider.swf]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome1.swf]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome.html]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[icon.gif]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[logo.gif]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[cashback.exe]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[cb.exe]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[flash.exe]
Adware:Adware/DealHelper Not disinfected C:\WINDOWS\system32\Qytpao.exe
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\system32\xlvdbf.exe.tcf
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Unread postby amateur » December 7th, 2005, 10:29 am

Hi Towel, :)

Thanks for the logs. :) Unfortunately your computer is not clean. That's probably why it was crashing when trying to update to SP2. Don't try to update it. Wait until the computer is clean. :( We have some work to do.

You may want to print out these instructions for reference.

Please download AproposFix from here:

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following: This is very very important. This will only work in Safe Mode.

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, tap F8 a few times .
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode

Then download Killbox

Run Panda online scan again.

Post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby Towel » December 9th, 2005, 12:16 am

Here is my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 8:12:53 PM, on 12/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\HDAudPropShortcut.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\My Documents\Virus\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\My Documents\Virus\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638371625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638357093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\My Documents\Virus\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

===========

My AproposFix log:

Log of AproposFix v1

************

Running from directory:
C:\My Documents\Virus\Aproposfix\aproposfix

************

Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Unread postby amateur » December 9th, 2005, 12:27 pm

Hi Towel, :)

Thank you for the logs. :)

First, please update your Ewido, Adaware and Spybot.

----------------------------------------------------------

Next, please go to Control Panel > Java or Java Plugin> General tab>
Temporary Internet Files > Delete Files

Checkmark all 3 options and click OK.

If those settings are different, the "Clear Cache" option might be under the "Cache" tab instead.

Empty the Recycle Bin.

----------------------------------------------------------

Please download Rootkit Revealer (link is at the very bottom of the page)
" Unzip it to your desktop.
" Open the rootkitrevealer folder and double-click rootkitrevealer.exe
" Click the Scan button (bottom right)
" It may take a while to scan (don't do anything while it's running)
" When it's done, go up to File > Save. Choose to save it to your desktop.
" Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Note: When you are posting the rootkitrevealer.text, you can leave out the repetitive lines that contain the word "cache" in the progam files folder, except the first line where it appears and the last one.
------------------------------------------------------
Next, please reboot your computer in Safe Mode (This is very important) by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
-----------------------------------------------------

While still in Safe Mode run Ewido again. Sometimes it needs several runs to clean.
--------------------------------------------------------

Reboot in Normal Mode. Run Adaware and Spybot again, rebooting after each scan.
--------------------------------------------------------

Run Ccleaner, following my earlier instructions.
------------------------------------------------------------
Please do an online scan with Panda again and Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

-----------------------------------------------------------------

Reboot and run HijackThis again.

----------------------------------------------------------------

Post the new HijackThis log, the RootkitRevealer log, and the online scan results please.

P.S. I'll be leaving on a trip this afternoon and won't be back until Monday evening. I'll try to get on line, but I am not sure if I'll be able to. So, please don't worry if you don't hear from me for a couple of days.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby Towel » December 13th, 2005, 2:50 am

Pasted below are my reports. As of a note, I was not able to run the Kaspersky scan. For some reason, the ActiveX download was corrupted.

Here is my eWido report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:47:10 PM, 12/12/2005
+ Report-Checksum: 9B08B73B

+ Scan result:

C:\WINDOWS\system32\javex80.vxd/C:/WINDOWS/System32/nvms.dll -> Spyware.BargainBuddy : Error during cleaning
C:\WINDOWS\system32\javex80.vxd/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.BargainBuddy : Error during cleaning
C:\WINDOWS\system32\psis80ex.ax/C:/WINDOWS/System32/mscb.dll -> Spyware.BargainBuddy : Error during cleaning
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/cb.exe -> Spyware.CashBack : Error during cleaning
C:\WINDOWS\system32\psis80ex.ax/C:/Program Files/CashBack/bin/flash.exe -> Spyware.CashBack : Error during cleaning


::Report End

==========
Rootkitrevealer:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reinstall\€ 11/7/2004 1:55 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 12/12/2005 2:28 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 12/12/2005 2:28 PM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\LastTraceFailure 12/12/2005 2:28 PM 4 bytes Data mismatch between Windows API and raw hive data.
==================

Panda Scan:


Incident Status Location

Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
Adware:adware/portalscan Not disinfected C:\WINDOWS\bundles\AdSmartMedia_bundle.exe
Spyware:Spyware/BetterInet Not disinfected C:\WINDOWS\inf\ceres.inf
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\inf\farmmext.inf
Adware:adware/searchtheweb Not disinfected C:\WINDOWS\system32\Cache\mswinstall.exe
Spyware:Spyware/ShhhToolbar Not disinfected C:\WINDOWS\system32\Cache\runsearch.exe
Adware:Adware/AdLogix Not disinfected C:\WINDOWS\system32\Cache\videoinst.exe
Adware:adware program Not disinfected C:\WINDOWS\system32\data.~
Spyware:Spyware/Apropos Not disinfected C:\WINDOWS\system32\dsouclt1.exe
Adware:adware/exact.bargainbuddyNot disinfected C:\WINDOWS\system32\javex80.vxd
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\system32\javex80.vxd[nvms.dll]
Adware:Adware/Exact.SearchBar Not disinfected C:\WINDOWS\system32\javex80.vxd[nls.exe]
Adware:Adware/eZula Not disinfected C:\WINDOWS\system32\psis80ex.ax[mscb.dll]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_auto_wider.swf]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_click_wider.swf]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome1.swf]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome.html]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[icon.gif]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[logo.gif]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[cashback.exe]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[cb.exe]
Adware:Adware/Exact.BargainBuddyNot disinfected C:\WINDOWS\system32\psis80ex.ax[flash.exe]
===============

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 10:40:17 PM, on 12/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\My Documents\Virus\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.gateway.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638371625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638357093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\My Documents\Virus\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Unread postby amateur » December 13th, 2005, 6:06 pm

Hi Towel,

Thanks for the logs. :)

Please download the following tools:

a. The bargainbuddy removal tool from here. Run the tool following the prompts and let it remove the bargainbuddy.

b. VX2 Cleaner Plug In

Start Ad-Aware SE
" Click on Add-ons
" Select the VX2 Cleaner plug-in and click Run Tool
" If your computer isn't infected, click Close.
OR
" If you computer is infected with VX2, a dialog box with text such as New VX2 variant found or VX2 variant 1 found will appear.
" Press Clean and a dialog box with text The first phase completed. Please reboot and perform a Smart Scan will appear.
" Reboot your computer
" Run Ad-Aware and Click on the Scan Now Button
o Choose Perform Smart System Scan
o DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.

Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.
Repeat this until the VX2 Cleaner reports System clean. Press Close to exit.

Run Ad-Aware one more time and perform a Perform Full System Scan of your computer to make sure VX2 has been found and removed.

======================================
Go to Start>Control Panel>Add/Remove Programs and uninstall the following programs, if there:

CashBack
NaviSearch
Surfsidekick


======================================

Make sure that you can see hidden files

Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK

======================================

Reboot your computer into Safe Mode.

======================================

Navigate using Windows Search function, find and delete the following files in bold, if found:

C:\Documents and Settings\Owner\Application Data\Sskcwrd.dll
C:/WINDOWS/System32/nvms.dll
C:/WINDOWS/System32/mscb.dll
C:\WINDOWS\system32\javex80.vxd (delete all instances of it, if there is more than one)
C:\WINDOWS\system32\psis80ex.ax (delete all instances of it, if there is more than one)
C:\WINDOWS\system32\Cache\mswinstall.exe
C:\WINDOWS\system32\data.~
C:\WINDOWS\system32\dsouclt1.exe

Using Windows Explorer, navigate and delete the following folders in bold, if found:

C:\WINDOWS\inf
C:/Program Files/CashBack
C:/Program Files/NaviSearch
C:\WINDOWS\bundles
C:\WINDOWS\system32\Cache

======================================

Run Ccleaner

======================================

Go to Start>Run and type "prefetch", click OK. Select All and delete all the files in the Prefetch folder.
======================================

Reboot in Normal Mode.

======================================

Run Panda online scan again. Post a fresh HijackThis log along with the Panda scan result, please.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby Towel » December 14th, 2005, 12:14 am

First of all, thanks for all of your help. Here is my Panda scan:


Incident Status Location

Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\key.~
Adware:adware/portalscan Not disinfected C:\WINDOWS\SYSTEM32\winupdt.008
Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Media Pass
Adware:adware/wintools Not disinfected C:\PROGRAM FILES\COMMON FILES\WinTools
Adware:adware/ncase Not disinfected C:\WINDOWS\SYSTEM32\FLEOK
Adware:adware/addestroyer Not disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/virtualbouncer Not disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VBouncer
Adware:adware/pacimedia Not disinfected Windows Registry
==============

HJT:

Logfile of HijackThis v1.99.1
Scan saved at 8:12:13 PM, on 12/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\HDAudPropShortcut.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\My Documents\Virus\security suite\ewidoctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Documents\Virus\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638371625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638357093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\My Documents\Virus\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Unread postby amateur » December 14th, 2005, 10:46 pm

Hi Towel, :)

We need to do a little bit more cleanup.

Go to Control Panel>Add/Remove prgrams and remove these if listed:

Media Pass
WinTools
FLEOK
AdDestroyer
VBouncer


Please go online and update your Adaware and Spybot.

Then download and install RegistrarLite with a shortcut on your desktop, but do not use it yet. We'll need it later. It is a free, relatively simple, and easy to use registry editor.
=========================================
Make sure that you can see hidden files:

Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK
===========================================
Next, reboot the computer in Safe Mode like you did before
===========================================

Press on Windows key and E key at the same time to bring up the Windows Explorer, expand the local disk (C) and navigate to the files and folders marked bold, and delete them. Be careful not to delete any other files which may be similar.

Files:
C:\WINDOWS\SYSTEM32\key.~
C:\WINDOWS\SYSTEM32\winupdt.008
Folders:
C:\PROGRAM FILES\Media Pass
C:\PROGRAM FILES\COMMON FILES\WinTools
C:\WINDOWS\SYSTEM32\FLEOK

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\AdDestroyer
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\VBouncer
===========================================
Click on RegistrarLite shortcut on your desktop. In the toolbar select Search>Search Registry. In the Text part type in pacimedia. In Search In part, drop it down and select Registry. Press enter. From here you can delete Pacimedia by right clicking and selecting Delete selected reg keys and values. If you can't delete it from there highlight the key and click on the red check mark at the bottom of the window and from there you can change the permissions. Then try and delete.

Once deleted you can uninstall Registrar Lite from Add/Remove.
===========================================
Please run Adaware now. Reboot and run Spybot. Reboot and run Ccleaner. ===========================================
Run Panda online scan again. Save the report.
===========================================
Reboot one more time to run HijackThis. Save the report
===========================================
Post the result of the Panda scan and the fresh HijackThis log please.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Unread postby Towel » December 15th, 2005, 5:40 am

Here are my new logs:

Panda log:


Incident Status Location

Adware:adware/portalscan Not disinfected C:\WINDOWS\system32\winupdt.bin
=======================


Logfile of HijackThis v1.99.1
Scan saved at 1:37:06 AM, on 12/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\HDAudPropShortcut.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\eMachines Bay Reader\shwiconem.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\My Documents\Virus\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\My Documents\Virus\hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\eMachines Bay Reader\shwiconem.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [CitiVAN] C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe /dontopenmycards
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Citi - {4C730913-3961-439b-83D5-F4E445520422} - C:\Program Files\Citi Virtual Account Numbers\CitiVAN.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638371625
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3638357093
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\My Documents\Virus\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Towel
Regular Member
 
Posts: 59
Joined: March 13th, 2005, 2:49 am

Unread postby amateur » December 15th, 2005, 12:58 pm

Hi Towel, :)

Looking better and better :) . We are down to one pest. Let's continue.
=============================

Make sure that you can see hidden files

Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK
=============================

Reboot in Safe Mode, following my earlier instructions

=============================

Using Windows Explorer, navigate to C:\Windows\System32, find the file winupdt.bin and delete it.

=============================

Run Ccleaner.

=============================

Reboot in Normal Mode and run online scan at :

Panda Online Scan

==============================

Reboot and post a fresh HijackThis log along with the online scan results.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 23 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware