Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

please review this HiJackThis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby mjgillen » June 18th, 2005, 9:39 am

Good morning NonSuch!

NO, I never found the Service we are seeking.
I did run the JavaCool tool but it did not fix the runtime error. I still get it :-(

I completed the virus scan with 296 Trojans found, but TrendMicro deleted them all for me :-)

Here is the latest HJT log.

Advise: If I can't get into husband's account in Safe Mode, how about non-safe mode? Why doesn't it show up on the login screen (WinXP Home) in safe mode?

Tia!
Michael

Logfile of HijackThis v1.99.1
Scan saved at 6:38:26 AM, on 6/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1713182A-5092-DD29-01DB-F0D69793396C} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
mjgillen
Regular Member
 
Posts: 35
Joined: June 15th, 2005, 1:51 pm
Location: Solana Beach
Advertisement
Register to Remove

Unread postby mjgillen » June 18th, 2005, 2:55 pm

OK, here's the latest:

I followed the instruciton in AboutBuster 5.0 txt file to fix the runtime error as follows:


~ Problem: Error 339 Missing comctl32.ocx
~ Solution: Download file from

http://www.ascentive.com/support/new/im ... MCTL32.OCX

Copy it into your system folder (Windows XP, 2000, NT = C:\Windows\System32) or (Win ME, 98, 95 = C:\Windows\System) and register it.

Although I didn't register it, the error went away.

Logged into husband's account (not safe mode) and deleted temp files in \local settings\

Went into safe mode and did all you suggested.
When I restarted in normal mode and ran TrendMicro's housecall, it didn't finds anything, although VNorton AntiVirus posted several alerts about Trojans.

Here's the latest AboutBuster and HJT logs:

AboutBuster 5.0 reference file 30
Scan started on [6/18/2005] at [7:23:46 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:drarxr
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:drqnhb
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:dvtir
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:eabkh
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:ecfla
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:efyus
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:egeyg
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:ehtvkh
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:ekhfth
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:encdos
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:eqtlz
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:24:13 AM


AboutBuster 5.0 reference file 30
Scan started on [6/18/2005] at [7:46:57 AM]
------------------------------------------------
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:esbrj
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:esetes
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:ezmzpy
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:fdvfqi
Removed Stream! C:\WINDOWS\{DC6601BC-5196-4809-8C32-91E016F38133}.dat:fekyue
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 7:47:33 AM


Logfile of HijackThis v1.99.1
Scan saved at 11:56:15 AM, on 6/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [HcTSC] C:\WINDOWS\TSC.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

We still have crazywinnings.com

Thanks,
Michael
mjgillen
Regular Member
 
Posts: 35
Joined: June 15th, 2005, 1:51 pm
Location: Solana Beach

Unread postby NonSuch » June 18th, 2005, 3:56 pm

Michael,

That's looking much better!

Yes, it's fine to remove the temp files from the husband's account while in normal mode. I'm really not sure why it can't be accessed in safe mode. Also, delete the files in that account's prefetch folder.

To get rid of crazywinnings...

Download: DelDomains.inf - Right-click and select: Save Target As
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

Because this will remove all entries in both the Trusted Zone and the Restricted Zone, any program, tool, or settings that were previously used to set restrictions will need to be reset. For instance, if it's being used, IE-SPYADS will have to be reinstalled, and if Spybot's "Immunize" feature is used, you will need to reimmunize, if you're using SpywareBlaster open it and select to "Enable all protection" again.

Reboot. Scan with HijackThis and post a fresh log. :)
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby mjgillen » June 18th, 2005, 4:08 pm

NonSuch,

I uninstalled Spybot cuz I couldn't figure out how to turn off TeaTimer in the new 1.4 version - it's different than 1.3.

Anyway, steps done. Here's the new HJT log. It looks clean to my untrained eyes :)

Michael
mjgillen
Regular Member
 
Posts: 35
Joined: June 15th, 2005, 1:51 pm
Location: Solana Beach

Unread postby NonSuch » June 18th, 2005, 4:33 pm

Oooops! No log?
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby mjgillen » June 18th, 2005, 4:35 pm

Doh!

Logfile of HijackThis v1.99.1
Scan saved at 1:05:14 PM, on 6/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\HijackThis.exe
C:\WINDOWS\System32\imapi.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
mjgillen
Regular Member
 
Posts: 35
Joined: June 15th, 2005, 1:51 pm
Location: Solana Beach

Unread postby NonSuch » June 18th, 2005, 5:15 pm

Image Yes!!! Clean log! Good job, Michael!

Here are our standard Malware Removal Forum recommendations for keeping a system protected...

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  1. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here:
    Managing Windows Millennium System Restore
    or
    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above
  2. Make your Internet Explorer more secure - This can be done by following these simple instructions:

    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.

      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some online & their stand-alone anti virus programs:
    Computer Safety On line - Anti-Virus
  4. Update your Anti Virus Software - It is imperative that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  5. Use a Firewall - I cannot stress how important it is that you use a firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a firewall in its default configuration can lower your risk greatly. For an article on firewalls and a listing of some available ones see the link below:
    Computer Safety On line - Software Firewalls
  6. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer always has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  7. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  8. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  9. Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  10. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby mjgillen » June 18th, 2005, 6:04 pm

Thanks NonSuch! :D :wav:

This is not my computer, and I already turned off system restore when I first started cleaning it up. However, I will pass along the recommendations to the owner, although she doesn't understand MalWare as well as I do, which is not as much as many on this site.

I have some questions for you but I think I'll ask them in the Debating Chamber unless you think I should ask them here.

My warm wishes for you and your family and I hope that the rest of your weekend is fabulous, as mine will be.

I will stay in touch, as I am a Trainee now.

Peace,
Michael
mjgillen
Regular Member
 
Posts: 35
Joined: June 15th, 2005, 1:51 pm
Location: Solana Beach

Unread postby mjgillen » June 18th, 2005, 7:40 pm

Well, I reinstalled Spybot and when I ran it, it found CoolWWWSearch.Aff.Winshow and removed it. Is this a big threat?

Also, while SB was running, NAV kept giving me warnings about Trojans.

What should I do, if anything.

Thanks,
Michael
mjgillen
Regular Member
 
Posts: 35
Joined: June 15th, 2005, 1:51 pm
Location: Solana Beach

Unread postby NonSuch » June 18th, 2005, 8:57 pm

It sounds like Spybot S&D is doing its job and just cleaned up some leftovers. NAV may have been reacting to Spybot S&D. Sometimes an AV will mistake something in Spybot S&D's definitions for actual malware when in fact it's not. However, it won't hurt a bit to download and install Ewido and perform a scan. It's compatible with NAV, so there should be no conflicts...

Please download, install, update and scan your system with the free version of Ewido trojan scanner:
  1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  3. From the main ewido screen, click on update in the left menu, then click the Start update button.
  4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  6. When the scan finishes, click on "Save Report". This will create a text file. If you feel there may still be problems and/or issues, please then paste the contents of the text file to this thread, along with a new HijackThis log and I'll have a look at it.


Hopefully, all will be well, and you'll be able to relax and enjoy your week-end. :)
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby mjgillen » June 18th, 2005, 11:29 pm

Thanks NonSuch. I'll try in the morning and let you know.

Thanks again!
Michael
mjgillen
Regular Member
 
Posts: 35
Joined: June 15th, 2005, 1:51 pm
Location: Solana Beach

Unread postby mjgillen » June 19th, 2005, 10:48 am

Well, some more stuff...

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:47:05 AM, 6/19/2005
+ Report-Checksum: A990384A

+ Date of database: 6/19/2005
+ Version of scan engine: v3.0

+ Duration: 29 min
+ Scanned Files: 55171
+ Speed: 31.22 Files/Second
+ Infected files: 168
+ Removed files: 168
+ Files put in quarantine: 168
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Kathy\Cookies\kathy@bluestreak[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Kathy\Cookies\kathy@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\HiJackThis\backups\backup-20050616-193302-437.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\748D409D-BDA6-4363-9EF2-9890A8\3F258855-1BED-40FC-A3B6-048D45 -> TrojanDropper.Tibsis.b -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7FDAF75B-06CD-429F-9BE6-102A04\0FEB4BB9-DB32-4963-8FBC-FC2DB3 -> Spyware.WebRebates.d -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7FDAF75B-06CD-429F-9BE6-102A04\A71A8B22-0C03-4643-91D0-139143 -> Spyware.WebRebates.c -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C17ECB23-CFF7-402B-8C77-97E233\D45321CB-2BA5-4D69-A485-3A3759 -> Spyware.NoName -> Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C7EBAD50-855B-4800-9757-845AEE\75EBF4FD-BB7F-4BFF-831E-E11E0A -> Spyware.DealHelper.aa -> Cleaned with backup
C:\WINDOWS\addbd.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\addco.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\addds.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\addhx.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\addjc32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\addji32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\apinq32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\apivu.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\apiyb32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\apiyp.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\appja32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\appjd.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\apptk32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\atldb32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\atldq32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\atlek.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\atloq32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\atlvr32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\atlvu.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\crbz32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\crdu32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\crnq.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\crpa.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\crpd.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\crud.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\cruu32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\crwq32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\d3aj32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\d3ro32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\d3tm.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\iejp.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\iekv.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\ieme32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\iepf32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\iepx32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\ipjr32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\ipoa32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\ipwf32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\javaax32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\javadh32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\javaow32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\javaxx32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\javazr32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\mfchc32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\mfcxo32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\mfcyv.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\mscx32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\msfh.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\msqo32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\msqu.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\msqw32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\mswp32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\msyw32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\netha32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\netwp32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\ntxw32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\n_acvywk.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\n_cwymbz.txt -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\n_dwsezj.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\n_eqcizb.txt -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\n_exbyrf.txt -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\n_lcgien.txt -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\n_lmkwlu.log -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\n_pzajgn.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\n_qbhjhb.log -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\n_smllnx.dat -> TrojanDownloader.Agent.oq -> Cleaned with backup
C:\WINDOWS\n_tkmyma.txt -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\n_ujyrhd.dat -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\n_vgmxxb.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\n_wxxfff.txt -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\n_xorjfy.log -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\n_xtkpns.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\n_xzuzub.log -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\n_ysstzv.log -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\n_zpfbgu.dat -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\sdkdy32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\sdkhf32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\sdkrs32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\sdkui.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\sdkzb32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\snbho.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\sysdz.exe -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\syslx.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\syson.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\sysst32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\systc32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\addaz32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\addip.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\addty32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\addyz32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\apiak32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\apiex.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\apigk.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\apiil32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\apivj32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\apphl32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\apppo.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\appyr32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\atlih.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\atlze.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\crbw32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\crkw32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\crsf.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\SYSTEM32\d2kpax.exe -> Dialer.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\d3ex32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\d3wu.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ieat.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\iens32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\iesq32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ieui.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\iewx.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipbj.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipbk.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipbr.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipcj.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipfo32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipit32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\iprx.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipsp.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipti32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipvk32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipvt32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ipxy32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\javajq.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\javatm32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\javaut32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\javavo.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcaq.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mfceb.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcfq32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcir.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcpd.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcsd32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mscr32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mskz.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\mspv.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\SYSTEM32\nettv.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\netzk.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ntfq32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkhe.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sdknb.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sdknz32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sdksy.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sdktb32.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkve.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sysnu32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sysxx32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winda.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winem.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winfm.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winfo.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wingt.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winvd.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winwl32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup
C:\WINDOWS\SYSTEM32\winyd32.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wіnword.exe -> TrojanDownloader.PurityScan.k -> Cleaned with backup
C:\WINDOWS\windo32.exe -> TrojanDownloader.Agent.bq -> Cleaned with backup
C:\WINDOWS\winlu.exe -> Trojan.Agent.bi -> Cleaned with backup
C:\WINDOWS\winrq.dll -> Trojan.Feat -> Cleaned with backup
C:\WINDOWS\wints32.dll -> TrojanDownloader.Agent.bc -> Cleaned with backup


::Report End


and the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:49:03 AM, on 6/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HPAIO_PrintFolderMgr] C:\WINDOWS\System32\spool\DRIVERS\W32X86\hpoopm07.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks and Happy Father's Day!
Michael
mjgillen
Regular Member
 
Posts: 35
Joined: June 15th, 2005, 1:51 pm
Location: Solana Beach

Unread postby NonSuch » June 19th, 2005, 3:33 pm

Michael,

It looks like good ol' Ewido cleaned up a lot. That system sure had a mess of junk on it!

Download CCleaner from here to clean temp files from your computer.
  • Double click on the file to start the installation of the program.
  • Select your language and click OK, then next.
  • Read the license agreement and click I Agree.
  • Click next to use the default install location. Click Install then finish to complete installation.
  • Double click the CCleaner shortcut on the desktop to start the program.
  • On the Windows tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
  • If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
  • Click Run Cleaner to run the program.
  • Caution : It is not recommended to use the "Issues" tab unless you are very familiar with the registry as it has been known to find legitimate items.
  • After it has completed its process, click Exit.


I suggest you disable system restore again, reboot, then re-enable system restore. (We don't want to leave anything lurking in the restore points).

I see no signs of a firewall on this computer. In my opinion, the XP built-in firewall is inadequate because it does not monitor malware that's gotten into a system and is trying to "phone home." It only detects what's trying to get in. You'll find good information on firewalls in my post above regarding maintaining a system and keeping it clean.

Make sure that all the latest Windows Updates are installed. They close up a lot of holes. Also, make certain the computer is set up for automatic updates.

You have a great Father's Day! :)
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California

Unread postby mjgillen » June 20th, 2005, 2:50 pm

NonSuch,

Thanks! I returned the computer to it's owner today. I am a little worried about leftovers that might "phone home" but other than that I know I did a good job and her computer is restored into a working machine again.

Thank you very much!

I have started a directory of tools, with READMEs. I am now going to the University to learm some more.

I'll chat with you later. Thanks again! :hello2:
Michael
mjgillen
Regular Member
 
Posts: 35
Joined: June 15th, 2005, 1:51 pm
Location: Solana Beach

Unread postby NonSuch » June 20th, 2005, 3:15 pm

Michael,

You're very welcome. :)

I'm sure you'll do very well in the University and will soon be out there slaying malware. It's a pleasure to have you with us. Image
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware