Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Spyaxe 3.0

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Spyaxe 3.0

Unread postby lorenr » December 7th, 2005, 10:04 pm

I've run Spybot, Ad-Aware, my virus program, it just won't go away.
Here is my logfile:
Logfile of HijackThis v1.99.1
Scan saved at 8:31:14 PM, on 12/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX00.360\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: HomepageBHO - {724510c3-f3c8-4fb7-879a-d99f29008a2f} - C:\WINDOWS\system32\hp1C5C.tmp
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BJ Status Monitor Canon S520.lnk = C:\Documents and Settings\user\cnmss3m.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterpr ... ll_pre.php (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4244830328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.biz/fvlite22/fvlite.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_do ... Button.CAB
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca04.rightnowtech.com/7011-b ... a/RntX.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Please help me. :cry:
Thanks so much in advance!!!
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm
Advertisement
Register to Remove

Unread postby NonSuch » December 8th, 2005, 3:50 am

Hello, lorenr. Welcome to the forums. :)

HijackThis is being run from a temporary folder; this means that any backups it creates as a result of fixes made with it will be lost. Please create a new folder for it and place the program into that new folder. Either copy the file HijackThis.exe and paste it into a new folder on your desktop, or create a folder such as C:\HJT\ (or a similar name) and copy and paste the file, HijackThis.exe, into that new folder. In any case, it must be moved or you will very likely end up with no backups and they may be needed. Do this before you do anything further!

Please print out a copy of these instructions or copy them into a text file in Notepad so that you will have them available to you. You will not be able to access them online while performing the required fixes in safe mode, and you must keep all browser windows closed during the fix.

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Download CCleaner from here to clean temp files from your computer. This should make the scans go somewhat faster.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click on "Options" at the top of the window, then click on the advanced" button.
    deselect "Only delete files in Windows Temp folders older than 48 hours." Click on "OK."
  • Click Run Cleaner to run the program.
  • Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
  • After CCleaner has completed its process, click Exit.


Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Enable the [b]â€
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby lorenr » December 10th, 2005, 1:08 am

NonSuch,
You are my Hero!! :D I think I have SpyAxe licked, thanks to you. It wasn't easy for a novice like me, but your instructions (with a few exceptions) were excellent. I ran Panda ActiveScan (though I couldn't create the shortcut) after following your instructions and it came out zero infections. It didn't offer to save a copy, though.
Attached are the new HijackThis log, the smitfiles and the Ewido log per your request. Let me know if you see anything else.
Thanks so so much for your help. I will be sending a donation soon.
Lorenr
Logfile of HijackThis v1.97.7
Scan saved at 11:48:03 PM, on 12/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\my download files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: BJ Status Monitor Canon S520.lnk = C:\Documents and Settings\user\cnmss3m.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: TREND MICRO HouseCall (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc ... /swdir.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://download.microsoft.com/download/ ... 3934473062
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4244830328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2005 ... scan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_do ... Button.CAB
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - http://fpdownload.macromedia.com/get/sh ... rashim.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc ... wflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 12/09/2005
The current time is: 18:33:09.60

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1740 'explorer.exe'

Starting registry repairs

Deleting files


Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN! :)


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~


~~~ Upon reboot ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:10:06 PM, 12/9/2005
+ Report-Checksum: 687DA64A

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{C19EB5B1-FC58-456E-8793-384532ED5970} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-746137067-1606980848-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@cz11.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup


::Report End
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Unread postby NonSuch » December 10th, 2005, 4:06 am

You're very welcome. :)

However, before I can give you an "all clear," I'm going to need to see a new HijackThis log. If you look at the header of the first log you posted, you will see it was generated with HijackThis 1.99.1.... that's the current version. Alas, this last log you posted came from HijackThis version 1.97.7. That version is so old it probably has moss growing on it. :lol: Unfortunately, the log it creates leaves too much out, so I will need to see a log made with version 1.99.1.

Please delete HijackThis version 1.97.7 from your system. According to the file path (C:\Documents and Settings\user\Desktop\my download files\HijackThis.exe) it appears to be located on your Desktop in a folder named "my download files." Evidently, the newer version was deleted, and you will need to download it again.

Download HijackThis to your Desktop. Right click on the zip file and select "Extract all." Allow it to extract to the Desktop. It will create its own folder named "HijackThis." Delete the zip folder as you will no longer need it. Double click on the HijackThis folder to open it, then double click on the HijackThis icon to start the program. Scan with HijackThis and create a new log. Post your new log into this same thread and we'll have a look to make sure it is all clean. :)

I'm pretty sure your system is clean now, but I can't be positive until I see a complete log. :)
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby lorenr » December 10th, 2005, 1:30 pm

NonSuch,
OK, below is the v.1.99.1 log file. As info, I did a Spybot scan and it said I was infected with Smitfraud-C. I guess I spoke too soon.
Also, I have a question about Netropa. What is it, can I get rid of it, and how do I get rid of it?
Thanks again for your help!!!

Logfile of HijackThis v1.99.1
Scan saved at 11:56:46 AM, on 12/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Netropa\Onscreen Display\OSD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust

Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\QUICKENW\QWDLLS.EXE
C:\WINDOWS\explorer.exe
C:\DOCUME~1\user\LOCALS~1\Temp\Rar$EX00.156\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.rr.com/flash/index.cfm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.rr.com/flash/index.cfm
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia

Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe"

/server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [StopSignStatus] Rundll32.exe "C:\Program Files\Common

Files\eAcceleration\Installer\stopsinfo.dll",VerifyStatus
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust

Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ

Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ

Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ

Armor\eTrust EZ Firewall\ca.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - Startup: BJ Status Monitor Canon S520.lnk = C:\Documents and

Settings\user\cnmss3m.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: TREND MICRO HouseCall -

{2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} -

http://uk.trendmicro-europe.com/enterpr ... ll_pre.php (file

missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration

Class) - http://activation.rr.com/install/download/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus

scanner) -

http://security.symantec.com/sscv6/Shar ... vSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility

Class) -

http://security.symantec.com/sscv6/Shar ... /cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftup ... ient/muweb

_site.cab?1124244830328
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2005 ... com/housec

all/xscan53.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) -

http://de.trendmicro-europe.com/file_do ... seCallButt

on.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -

https://www-secure.symantec.com/techsup ... veData.cab
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program

Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program

Files\Netropa\Multimedia Keyboard\nhksrv.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) -

Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates

International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ

Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Unread postby NonSuch » December 11th, 2005, 2:14 am

Here's information on Netropa. You may be able to remove it through Add/Remove Programs, but I think you should be very cautious and make sure that this is not something you need before you remove it; otherwise, you may end up crippling something on your system. I have provided links to further information below.

The following entry in your running processes indicates a Multimedia Keyboard:

C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe

This entry is for the Netropa On Screen Display:

C:\Program Files\Netropa\Onscreen Display\OSD.exe

Further information:

http://sitebilder.com/hosting/privacy/articles/hp.php

http://www.netropa.com/download/mmkbd/download.html

http://www.bleepingcomputer.com/startup ... -3932.html

http://www.liutilities.com/products/win ... brary/osd/

http://www.intellinav.com/

There is absolutely nothing remaining in your log to indicate the presence of Smitfraud. Perhaps Spybot S&D is picking up a registry remnant or it may be picking up the components of the SmitRem tool which was used to remove Smitfraud/SpyAxe, and mistaking it for the infection itself. Did Spybot S&D give you the names and locations of the files where it found SmitFraud?

Go here to perform an online scan with the Kaspersky Online Scanner and post the log of what it finds.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby lorenr » December 11th, 2005, 4:29 pm

OK, now this is really getting scary. Attached is the Kapersky Logfile.
Where is all this stuff coming from? :cry: :cry: :cry:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, December 11, 2005 15:25:46
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/12/2005
Kaspersky Anti-Virus database records: 154565
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 41920
Number of viruses found: 25
Number of infected objects: 162
Number of suspicious objects: 4
Duration of the scan process: 1820 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\00AF5673.tmp Infected: Trojan.Win32.Alfora
C:\Program Files\Norton AntiVirus\Quarantine\00C62E3C Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\01940359 Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\02B176C2 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\02BD7012 Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\031C31AA Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\04B431E9 Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\05F11A8C Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\06F0209B.class Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton AntiVirus\Quarantine\06F67494.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\08A333BF Infected: Trojan.Java.Femad
C:\Program Files\Norton AntiVirus\Quarantine\09963BB4 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\0AFF4171 Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton AntiVirus\Quarantine\0B69357B Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\0DC86BC7.class Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton AntiVirus\Quarantine\0F5A6689 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\0F5B0965 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1185470C Infected: Trojan.Java.ClassLoader.b
C:\Program Files\Norton AntiVirus\Quarantine\143476DB Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\156E686F Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\173D7F83 Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\18B131EA Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\197C5D0B Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\1AAF47B9 Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\1B11334D Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\1B8370F9.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\1B8A44F2.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\1BC438B1.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1BCF1CFF Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\1C162F23 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1C6C2336 Infected: Trojan-Downloader.Java.OpenStream.d
C:\Program Files\Norton AntiVirus\Quarantine\1CA25F93 Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\1D4763DF Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1DC147FA Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\1DDC1E3A Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\1E7A1654 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\1F405F79 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\20A13017 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\20F56AF7 Infected: Trojan.Java.ClassLoader.b
C:\Program Files\Norton AntiVirus\Quarantine\20FC47B3 Infected: Trojan.Java.ClassLoader.o
C:\Program Files\Norton AntiVirus\Quarantine\214F1048 Infected: Trojan.Java.Needy.c
C:\Program Files\Norton AntiVirus\Quarantine\23F51DFE Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\24A659AB Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\24C43499.htm Infected: Trojan.VBS.StartPage.a
C:\Program Files\Norton AntiVirus\Quarantine\25491F4C Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\25EC1839.class Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton AntiVirus\Quarantine\2606681D.class Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton AntiVirus\Quarantine\26106612.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\27023113 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\2A8D4611 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\2F0833C2 Infected: Trojan.Java.ClassLoader.b
C:\Program Files\Norton AntiVirus\Quarantine\30870DA6 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\309745BE Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\30F9260D Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\30FC500A Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\31B04AF4 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\31E4750B Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\324E1540 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\32825094 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\32D61801 Infected: Trojan-Downloader.Java.OpenStream.d
C:\Program Files\Norton AntiVirus\Quarantine\333C59BF Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\334E297C Infected: Trojan-Downloader.Java.OpenConnection.k
C:\Program Files\Norton AntiVirus\Quarantine\352454B9 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\35267604 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\362A6657 Infected: Trojan-Downloader.Java.OpenConnection.l
C:\Program Files\Norton AntiVirus\Quarantine\373B18E7 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\388125D8 Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\388A5B17 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\38FD3DAA Infected: Trojan.Java.Shiwow
C:\Program Files\Norton AntiVirus\Quarantine\3954460E Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\3B694FA2.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\3C0E725F Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\3CBF0719 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\3ED601CF Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\3ED74C4B.class Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton AntiVirus\Quarantine\3EDB7648.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\3FE2634D Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\3FE73530.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\40731ED2 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\409345F2 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\416F0078 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\42A915D7.class Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton AntiVirus\Quarantine\43183B16.js Infected: Exploit.JS.ActiveXComponent
C:\Program Files\Norton AntiVirus\Quarantine\431B5359.class Infected: Trojan.Java.StartPage.b
C:\Program Files\Norton AntiVirus\Quarantine\431E0F0F.js Infected: Exploit.JS.ActiveXComponent
C:\Program Files\Norton AntiVirus\Quarantine\433D4859 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\43661907.class Infected: Trojan.Java.ClassLoader.b
C:\Program Files\Norton AntiVirus\Quarantine\436A0A26 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\436E3422 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\44483131 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\444F5271 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\44516804.class Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton AntiVirus\Quarantine\446134A2 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\44A62D9A Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\44CF749F Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\454B3016 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\458733A9 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\45B03BA6 Infected: Trojan.Java.ClassLoader.b
C:\Program Files\Norton AntiVirus\Quarantine\461174F8 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\463F7308 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\46470BAC Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\474945E6 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\47A92880 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\47AE1621 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\47F61042.css Infected: Trojan-Clicker.Win32.Axec
C:\Program Files\Norton AntiVirus\Quarantine\47F93A3E.exe Infected: Trojan-Clicker.Win32.Axec
C:\Program Files\Norton AntiVirus\Quarantine\48413CD5 Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton AntiVirus\Quarantine\491A6444 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\493C135C Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\4985341B Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton AntiVirus\Quarantine\49934732 Infected: Trojan-Downloader.Java.OpenStream.d
C:\Program Files\Norton AntiVirus\Quarantine\4A04198F Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\4A563335 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\4B687A07 Infected: Trojan.Java.Shiwow
C:\Program Files\Norton AntiVirus\Quarantine\4E0F16E1 Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\4E400CE6 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\4ED6522B Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\4EEF03DB Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\4F396895.js Infected: Exploit.JS.ActiveXComponent
C:\Program Files\Norton AntiVirus\Quarantine\4F43668A.js Infected: Exploit.JS.ActiveXComponent
C:\Program Files\Norton AntiVirus\Quarantine\500D0FC6 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\525461C5.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\52BD04D0 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\59B60542.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\5ABA7EAB Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\5C426B69 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\5E4F5F36 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\5ED94B13.class Infected: Trojan.Java.Nocheat
C:\Program Files\Norton AntiVirus\Quarantine\5EEC46FD.htm Infected: Trojan.JS.Seeker
C:\Program Files\Norton AntiVirus\Quarantine\607D6140 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\61084712 Infected: Trojan.Java.Shiwow
C:\Program Files\Norton AntiVirus\Quarantine\633E3983 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\63F50AA5 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\64B01CD3 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\656B1A60 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\658B426D Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\660F3423 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\66E544F8 Infected: Trojan-Downloader.Java.OpenStream.d
C:\Program Files\Norton AntiVirus\Quarantine\67AB188F Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\686B2ABD Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\6A544C5E Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\6ABB6542 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\6B977FC5 Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\6C101140 Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton AntiVirus\Quarantine\6C7850CD Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\6D906E8D.class Infected: Trojan.Java.Nocheat
C:\Program Files\Norton AntiVirus\Quarantine\6DA253D6 Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\6DEE3A1A Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\6E335689.htm Infected: Trojan.JS.Seeker
C:\Program Files\Norton AntiVirus\Quarantine\6E5218C4 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\6F7E705D Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\6FAF2544 Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\72AF2099 Infected: Trojan.Java.StartPage.g
C:\Program Files\Norton AntiVirus\Quarantine\736F5D23 Infected: Trojan.Java.ClassLoader.Dummy.e
C:\Program Files\Norton AntiVirus\Quarantine\751364C6 Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Program Files\Norton AntiVirus\Quarantine\754C3E0A Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\797D18C6 Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\7A955D79.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\7C421F34 Infected: Trojan-Downloader.Win32.IstBar.s
C:\Program Files\Norton AntiVirus\Quarantine\7C5C4984.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\7F3157F9 Infected: Trojan-Downloader.Win32.IstBar.s
C:\System Volume Information\_restore{EC280EEC-AB63-452F-B94A-74A3BB83BECD}\RP88\A0021073.tlb Infected: Trojan.Win32.Puper.bq
C:\System Volume Information\_restore{EC280EEC-AB63-452F-B94A-74A3BB83BECD}\RP88\A0021095.tlb Infected: Trojan.Win32.Puper.bq
C:\System Volume Information\_restore{EC280EEC-AB63-452F-B94A-74A3BB83BECD}\RP88\A0021122.tlb Infected: Trojan.Win32.Puper.bq
C:\System Volume Information\_restore{EC280EEC-AB63-452F-B94A-74A3BB83BECD}\RP88\A0021133.tlb Infected: Trojan.Win32.Puper.bq
C:\System Volume Information\_restore{EC280EEC-AB63-452F-B94A-74A3BB83BECD}\RP88\A0021142.exe Infected: Trojan.Win32.Puper.bq

Scan process completed.
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Unread postby NonSuch » December 11th, 2005, 5:36 pm

Actually, believe it or not, that's a very good scan result :).....

The final five lines are showing the Smitfraud infection. However, the file path for the infection (C:\System Volume Information\_restore) shows that it's located in a System Restore point. That's no problem at all... we only need to clear out your system restore points and set a new one, which is something we always do at the end of a clean up anyway, just to make sure there's nothing left in there.

All the other lines that come before the final five are pointing to infections that have been quarantined by your Norton Antivirus and are still sitting there in quarantine. Just open Norton AV and delete all those quarantined files and the infections will be gone.

I would suggest you clear your restore points now:

  • Turn off System Restore.
    • Right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • Check Turn off System Restore.
    • Click Apply, and then click OK.
  • Reboot.
  • Turn ON System Restore.

    • Right-click My Computer.
    • Click Properties.
    • Click the System Restore tab.
    • Un-Check *Turn off System Restore.*
    • Click Apply, and then click OK.
  • Set a new system restore point.


Then just clean out your Norton Antivirus quarantine and you're in good shape! :)

After following the above steps, you should have a clean system. In order to help keep it that way, please take a few minutes to read the following article, which provides tips for securing your system and links to free anti-malware tools as well.

http://www.malwareremoval.com/forum/viewtopic.php?t=4959
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby lorenr » December 11th, 2005, 6:12 pm

OK, one more question. How do I set a new system restore point?
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Another Question

Unread postby lorenr » December 11th, 2005, 6:28 pm

Oops, sorry, another question, do I need to go back and recheck or uncheck things like "show hidden files and folders" or anything else?
Thanks
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Unread postby NonSuch » December 11th, 2005, 6:28 pm

Yes, go back and rehide the system files/folders.

For a new restore point, first open System Restore... Start > All Programs > Accessories > System Tools > System Restore. Select "Create a Restore Point" click "Next" and follow the instructions from there. :)
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Thanks For All Your Help!

Unread postby lorenr » December 11th, 2005, 6:45 pm

NonSuch,
Again, thank you so much for all of your help. Not only is my computer as clean as it was the day I got it, but I have learned so much. You have been a Lifesaver. A donation is forthcoming.
Happy Holidays!!
Lorenr
lorenr
Regular Member
 
Posts: 77
Joined: December 7th, 2005, 9:41 pm

Unread postby NonSuch » December 11th, 2005, 6:50 pm

You're very welcome, Lorenr!

Happy Holidays to you. :)
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby NonSuch » December 12th, 2005, 12:44 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 295 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware