Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Help! I can't eliminate this Aggressive Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Help! I can't eliminate this Aggressive Malware

Unread postby sidelines » March 20th, 2005, 3:59 pm

I have read the FAQ, run SpyBot, CA eTrust Pest Patrol, and NAV. After an hour or so of leaving IE open (on normal mode) the pop ups come so fast and aggressive, I have to reboot. Here is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:01:14 PM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system\uvrkjqj.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\sysmonnt.exe
C:\Program Files\Quickenw\Qwdlls.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [ZEt7RXMnV] mcafos.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSEC.EXE (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Thanks!
sidelines
Active Member
 
Posts: 13
Joined: March 20th, 2005, 3:09 pm
Advertisement
Register to Remove

Unread postby Daemon » March 20th, 2005, 4:13 pm

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [ZEt7RXMnV] mcafos.exe


Exit HijackThis when done. Reboot into Safe Mode by tapping F8 after the BIOS has loaded. Using Windows Explorer, find and delete the following:

C:\WINDOWS\system32\sysmonnt
C:\WINDOWS\system\uvrkjqj.exe

Exit Explorer and reboot into Normal Mode. Rescan with HijackThis and post a new log here.
User avatar
Daemon
Visiting Expert
Visiting Expert
 
Posts: 21
Joined: January 18th, 2005, 3:03 pm
Location: UK

Unread postby sidelines » March 20th, 2005, 4:45 pm

Here is the new log after your instructions:

Logfile of HijackThis v1.99.1
Scan saved at 12:50:16 PM, on 3/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Quickenw\Qwdlls.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - Unknown owner - C:\WINDOWS\System32\GEARSEC.EXE (file missing)
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
sidelines
Active Member
 
Posts: 13
Joined: March 20th, 2005, 3:09 pm

Unread postby Daemon » March 20th, 2005, 4:48 pm

That looks OK now - how is it running?
User avatar
Daemon
Visiting Expert
Visiting Expert
 
Posts: 21
Joined: January 18th, 2005, 3:03 pm
Location: UK

Unread postby sidelines » March 20th, 2005, 4:51 pm

BargainBuddy still comes up on the eTrust quick scan. It reappears immiedately after deleting.

Is this what might be opening the floodgates? It runs fine right now, but I wm thinking in an hour I'll be wrecked again.
sidelines
Active Member
 
Posts: 13
Joined: March 20th, 2005, 3:09 pm

Unread postby Daemon » March 20th, 2005, 4:57 pm

Do this for me. Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.
User avatar
Daemon
Visiting Expert
Visiting Expert
 
Posts: 21
Joined: January 18th, 2005, 3:03 pm
Location: UK

Unread postby sidelines » March 20th, 2005, 6:02 pm

Here is the whole file (120 found!). I would imagine a lot was added between when the scan started and when it stopped:

File C:\WINDOWS\autoheal.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\vsqlwtvx.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\eliteysz32.exe infected by "BkCln.Unknown" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\elitexmh32.exe infected by "BkCln.Unknown" Virus. Action Taken: No Action Taken.
File C:\FOUND.005\FILE0004.CHK tagged as not-a-virus:RiskWare.Tool.PsKill.a. No Action Taken.
File C:\WINDOWS\SYSTEM32\DRIVERS\delprot.sys infected by "Trojan.Win32.Delprot.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\vsqlwtvx.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\Cache\setup.exe infected by "Trojan.Win32.VB.tq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\HDPlugin1015.dll infected by "not-a-virus:AdWare.Gator.1015" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\installer_MEDIAWHIZ3.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MEDIAWHIZ3.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_MEDIAWHIZ3.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\installer_MEDIAWHIZ3.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\autoheal.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\626403ED.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\67273B65.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0499582A.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\68906522.htm infected by "Trojan-Downloader.JS.Psyme.ae" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\68930F1E.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1B635018.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6897391B.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2983035D.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6BAA21A8.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\01B22F76.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\69DE4CD4.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0CD76E0A.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\69E176D0.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\06EB4EDA.htm infected by "Trojan-Downloader.JS.Psyme.ae" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\06EB4EDA.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6A1A5FA3.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2FE23DA2.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2AD4759E.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2AD4759E.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2B366132.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2B366132.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2B9F20BF.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2B9F20BF.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2C043650.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2C043650.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2C694BE0.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2C694BE0.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2CD5356A.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2CD5356A.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2D3720FE.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2D3720FE.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2D9C368E.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2D9C368E.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E014C1F.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E014C1F.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E6761B0.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E6761B0.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2ECC7740.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2ECC7740.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F1412F1.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F310CD1.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F310CD1.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F9A4C5E.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F9A4C5E.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2FFC37F2.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2FFF61EE.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3064777F.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3064777F.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\30C90D10.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\30C90D10.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\312F22A0.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\312F22A0.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\31943831.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\31943831.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\320021BA.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\320021BA.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3265374B.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3265374B.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32CA4CDB.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32CA4CDB.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\33330C68.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\33330C68.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\339821F9.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\339821F9.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\34040B82.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\34040B82.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\346F750C.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\346F750C.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\34D50A9C.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\34D50A9C.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\35407426.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\35407426.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\35AC5DAF.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\35AC5DAF.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\361B7135.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\361B7135.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\368430C2.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\368430C2.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\68FB385D.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\719A16DF.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\719D40DC.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\71FF2C70.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\72060069.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\72686BFD.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\726B15F9.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\72CD018D.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\72D02B8A.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7336411A.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\73396B17.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\73A554A0.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\73A87E9D.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4BB577FC.exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\5ED0053D.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\5EDA0333.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\BDEProjector39.zip infected by "not-a-virus:AdWare.BrilliantDigital.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\BDEProjector40.zip infected by "not-a-virus:AdWare.Brilliandigital.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Xupiter13.zip infected by "not-a-virus:AdWare.Xupiter.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Xupiter14.zip infected by "not-a-virus:AdWare.Xupiter.f" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Xupiter15.zip infected by "not-a-virus:AdWare.Xupiter.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Xupiter20.zip infected by "not-a-virus:AdWare.Xupiter.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Desktop\silipa93.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\CPQS\TOOLS\REBOOT.COM tagged as not-a-virus:Tool.DOS.Reboot. No Action Taken.
sidelines
Active Member
 
Posts: 13
Joined: March 20th, 2005, 3:09 pm

Unread postby Daemon » March 20th, 2005, 6:12 pm

Mostly quarantined files. Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file to your desktop.

Start Killbox and click on Tools->Delete Temp Files. When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINDOWS\autoheal.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\installer_MEDIAWHIZ3.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\installer_MEDIAWHIZ3.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\installer_MEDIAWHIZ3.exe
C:\WINDOWS\Downloaded Program Files\HDPlugin1015.dll
C:\WINDOWS\Downloaded Program Files\installer_MEDIAWHIZ3.exe
C:\WINDOWS\SYSTEM32\Cache\setup.exe
C:\WINDOWS\SYSTEM32\DRIVERS\delprot.sys
C:\WINDOWS\system32\elitexmh32.exe
C:\WINDOWS\system32\eliteysz32.exe
C:\WINDOWS\SYSTEM32\qh4mkbv9.dll
C:\WINDOWS\system32\vsqlwtvx.exe

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

Reboot if it doesn't do so automatically. Post a new mwav scan in your next reply.
User avatar
Daemon
Visiting Expert
Visiting Expert
 
Posts: 21
Joined: January 18th, 2005, 3:03 pm
Location: UK

Unread postby ChrisRLG » March 20th, 2005, 6:18 pm

Hi daemon.

If you need it - we have a tutorial for killbox here:-
http://www.malwareremoval.com/forum/viewtopic.php?t=320
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby sidelines » March 20th, 2005, 9:15 pm

OK... Here is the updated file:

File C:\WINDOWS\system32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\FOUND.005\FILE0004.CHK tagged as not-a-virus:RiskWare.Tool.PsKill.a. No Action Taken.
File C:\WINDOWS\SYSTEM32\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\626403ED.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\67273B65.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0499582A.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\68906522.htm infected by "Trojan-Downloader.JS.Psyme.ae" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\68930F1E.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1B635018.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6897391B.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2983035D.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6BAA21A8.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\01B22F76.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\69DE4CD4.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\0CD76E0A.class infected by "Trojan.Java.ClassLoader.z" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\69E176D0.class infected by "Trojan-Downloader.Java.OpenConnection.v" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\06EB4EDA.htm infected by "Trojan-Downloader.JS.Psyme.ae" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\06EB4EDA.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\6A1A5FA3.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2FE23DA2.class infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2AD4759E.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2AD4759E.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2B366132.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2B366132.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2B9F20BF.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2B9F20BF.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2C043650.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2C043650.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2C694BE0.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2C694BE0.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2CD5356A.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2CD5356A.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2D3720FE.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2D3720FE.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2D9C368E.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2D9C368E.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E014C1F.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E014C1F.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E6761B0.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2E6761B0.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2ECC7740.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2ECC7740.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F1412F1.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F310CD1.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F310CD1.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F9A4C5E.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2F9A4C5E.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2FFC37F2.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2FFF61EE.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3064777F.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3064777F.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\30C90D10.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\30C90D10.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\312F22A0.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\312F22A0.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\31943831.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\31943831.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\320021BA.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\320021BA.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3265374B.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3265374B.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32CA4CDB.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32CA4CDB.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\33330C68.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\33330C68.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\339821F9.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\339821F9.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\34040B82.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\34040B82.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\346F750C.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\346F750C.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\34D50A9C.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\34D50A9C.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\35407426.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\35407426.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\35AC5DAF.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\35AC5DAF.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\361B7135.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\361B7135.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\368430C2.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\368430C2.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\68FB385D.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\719A16DF.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\719D40DC.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\71FF2C70.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\72060069.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\72686BFD.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\726B15F9.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\72CD018D.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\72D02B8A.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7336411A.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\73396B17.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\73A554A0.bin infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\73A87E9D.exe infected by "Trojan-Dropper.Win32.Small.mr" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4BB577FC.exe infected by "Trojan-Downloader.Win32.Small.akz" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\5ED0053D.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\5EDA0333.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\BDEProjector39.zip infected by "not-a-virus:AdWare.BrilliantDigital.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\BDEProjector40.zip infected by "not-a-virus:AdWare.Brilliandigital.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Xupiter13.zip infected by "not-a-virus:AdWare.Xupiter.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Xupiter14.zip infected by "not-a-virus:AdWare.Xupiter.f" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Xupiter15.zip infected by "not-a-virus:AdWare.Xupiter.d" Virus. Action Taken: No Action Taken.
File C:\Program Files\Spybot - Search & Destroy 1.1\Recovery\Xupiter20.zip infected by "not-a-virus:AdWare.Xupiter.d" Virus. Action Taken: No Action Taken.
File C:\!Submit\autoheal.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\!Submit\installer_MEDIAWHIZ3.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.
File C:\!Submit\HDPlugin1015.dll infected by "not-a-virus:AdWare.Gator.1015" Virus. Action Taken: No Action Taken.
File C:\!Submit\setup.exe infected by "Trojan.Win32.VB.tq" Virus. Action Taken: No Action Taken.
File C:\!Submit\delprot.sys infected by "Trojan.Win32.Delprot.a" Virus. Action Taken: No Action Taken.
File C:\!Submit\vsqlwtvx.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Desktop\silipa93.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\CPQS\TOOLS\REBOOT.COM tagged as not-a-virus:Tool.DOS.Reboot. No Action Taken.
sidelines
Active Member
 
Posts: 13
Joined: March 20th, 2005, 3:09 pm

Unread postby Daemon » March 22nd, 2005, 4:42 pm

Repeat the process on this file:

C:\WINDOWS\system32\qh4mkbv9.dll

Post a final mwav scan and HJT log.
User avatar
Daemon
Visiting Expert
Visiting Expert
 
Posts: 21
Joined: January 18th, 2005, 3:03 pm
Location: UK

Unread postby sidelines » March 23rd, 2005, 2:52 am

New Files:

MWAV File:
File C:\FOUND.005\FILE0000.CHK infected by "not-a-virus:AdWare.Searcher.h" Virus. Action Taken: No Action Taken.
File C:\FOUND.005\FILE0002.CHK infected by "not-a-virus:AdWare.Searcher.h" Virus. Action Taken: No Action Taken.
File C:\FOUND.005\FILE0004.CHK infected by "not-a-virus:AdWare.Searcher.h" Virus. Action Taken: No Action Taken.
File C:\Program Files\Iomega\AutoDisk\Setup_enu.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Iomega\System32\Win2kDrivers.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\!Submit\autoheal.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\!Submit\installer_MEDIAWHIZ3.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus. Action Taken: No Action Taken.
File C:\!Submit\HDPlugin1015.dll infected by "not-a-virus:AdWare.Gator.1015" Virus. Action Taken: No Action Taken.
File C:\!Submit\setup.exe infected by "Trojan.Win32.VB.tq" Virus. Action Taken: No Action Taken.
File C:\!Submit\delprot.sys infected by "Trojan.Win32.Delprot.a" Virus. Action Taken: No Action Taken.
File C:\!Submit\qh4mkbv9.dll infected by "not-a-virus:AdWare.Sahat.l" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\msw\MSW.exe infected by "not-a-virus:AdWare.Searcher.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\Desktop\silipa93.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\CPQS\TOOLS\REBOOT.COM tagged as not-a-virus:Tool.DOS.Reboot. No Action Taken.

HJT File:
Logfile of HijackThis v1.99.1
Scan saved at 10:56:24 PM, on 3/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Quickenw\Qwdlls.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kavss.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
sidelines
Active Member
 
Posts: 13
Joined: March 20th, 2005, 3:09 pm

Unread postby Daemon » March 23rd, 2005, 3:46 am

Looks OK - how is it running now?
User avatar
Daemon
Visiting Expert
Visiting Expert
 
Posts: 21
Joined: January 18th, 2005, 3:03 pm
Location: UK

Unread postby sidelines » March 23rd, 2005, 9:51 pm

Right after the last clean-up, eTrust Pest Patrol still found BargainBuddy, but now there are others on the list including:
WinTools
Search Assistant
IST bar
Mmviewer
MidAddle
Ezula
DyFuCA.Internet Optimizer
Apropos

Here is the latest HJT list:

Logfile of HijackThis v1.99.1
Scan saved at 5:56:26 PM, on 3/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Quickenw\Qwdlls.exe
C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CA\eTrust PestPatrol\PPActiveDetection.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust PestPatrol\PestPatrol5.exe
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/viru ... ebscan.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
sidelines
Active Member
 
Posts: 13
Joined: March 20th, 2005, 3:09 pm

Unread postby Daemon » March 24th, 2005, 3:22 am

There's no sign of anything actually running on the system and the the fixes with mwav scan should have removed anything that was lurking. Could you post the complete path to the files that are detected.
User avatar
Daemon
Visiting Expert
Visiting Expert
 
Posts: 21
Joined: January 18th, 2005, 3:03 pm
Location: UK
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 271 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware