Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyaxe & Windows problems [RESOLVED]

Started by nickgall , Jan 02 2006 08:46 PM

  • This topic is locked This topic is locked

#1
nickgall
Posted 02 January 2006 - 08:46 PM

nickgall

    Member

  • Member
  • PipPip
  • 11 posts
Hi,

tonight my PC started throwing up virus warnings (in particular the "!" in a yellow triangle at the bottom right of the screen) and behaving strangely. I came across your very helpful website and I have been running scans and downloading the software you suggest all night. I have XP, SP2, use Firefox 1.5, and McAfee VirusScan 7.0.0 on my PC which moved 4 trojans into my quarantine folder and highlighted Spyaxe as infecting my PC twice within quite a short space of time. I then got warnings that a virus had deleted a file on my PC which left me open to popup spyware (but this also appeared to be telling me to download WinAntiSpyware, which I did not do). Trend Housecall then found 5 Trojans and I followed the on-screen instructions. When I ran Ad-aware SE 1.06 it seemed to find no new problems but doubled the number of trojans/viruses in the quarantine folder to 52. TrojanHunter also found nothing new when I ran it.

I reached the Windows Updates stage in your "Read this before posting" guide but since IE won't open I cannot work out how to access the Windows Updates to continue the process. In the Windows Task Manager "Processes" IExplorer does appear however.

I'm at a loss of what to do next. I hope this has not been posted in an inappropriate section of the forums and I apologise for my ignorance relating to computing. I hope that someone will be able to prompt me in the right direction so that I can continue to resolve these issues that have been plaguing my PC. Thank you for your time and help

Nick

Edited by nickgall, 02 January 2006 - 08:47 PM.

  • 0

Advertisements

#2
Flrman1
Posted 02 January 2006 - 11:43 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Welcome to G2G nickgall! :tazz:

Please do this:

* Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Doubleclick on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Edited by Flrman1, 02 January 2006 - 11:43 PM.

  • 0

#3
nickgall
Posted 03 January 2006 - 08:50 AM

nickgall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi,

thanks for the help. This morning my PC is claiming there are 4 active spyware applications. Here is the Hijack this logfile:



Logfile of HijackThis v1.99.1
Scan saved at 14:49:33, on 03/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Digital Camera\Nikon\NkView6\NkvMon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\nvctrl.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=wwwcache.cam.ac.uk:8080;http=wwwcache.cam.ac.uk:8080;https=wwwcache.cam.ac.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cam.ac.uk
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp86B2.tmp
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Digital Camera\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Games\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Games\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mrfixitonline.com
O15 - Trusted Zone: http://www.rtscentral.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = robinson.private.cam.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Edit: I've just had a quick look at the log and I see "robinson.private.cam.ac.uk" which appears to be a hangover from changes to my PC while I was at university. Does it matter (aside from the spyaxe problem) that this is still present? thank you

Edited by nickgall, 03 January 2006 - 08:53 AM.

  • 0

#4
Flrman1
Posted 03 January 2006 - 11:03 AM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Click here to download smitRem.exe.
  • Save the file to your desktop.
  • It is a self extracting file.
  • Doubleclick the smitRem.exe and it will extract the files to a smitRem folder on your desktop.
  • Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.
  • If the link to SmitRem above is not working try this one.

* Download the trial version of Ewido Security Suite here.
  • Install ewido.
  • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido
  • It will prompt you to update click the OK button and it will go to the main screen
  • On the left side of the main screen click update
  • Click on Start and let it update.
  • DO NOT run a scan yet. You will do that later in safe mode.

* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


* Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop

* Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


* Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
  • 0

#5
nickgall
Posted 03 January 2006 - 07:19 PM

nickgall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi,

I followed your instructions and I've provided the reports/logs below. I just thought I'd mention a few things that also occured during the process:

- smitREM tried to install itself in the Mozilla folder. I created smitREM folder in Program Files and installed it there

- when I rebooted in normal mode I got the following message:

You have used the System Configuration Utility to make changes to the way Windows starts. The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displated and the utility to run every time Windows starts. Choose the Normal Startup mode on the General tab to start Windows noramlly and undo the changes you made using the System Configuration Utility.

I clicked OK and I didn't make any changes when the System Configuration Utility opened.

- The "Security info" part was not present when I followed the control panel instructions




---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 23:36:38, 03/01/2006
+ Report-Checksum: 2C05B030

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-3287957928-1610497381-4286676373-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-3287957928-1610497381-4286676373-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D7E3B41-23CE-469B-BE1B-A64B877923E1} -> Spyware.BlazeFind : Cleaned with backup
HKU\S-1-5-21-3287957928-1610497381-4286676373-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKU\S-1-5-21-3287957928-1610497381-4286676373-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.Adviva : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.Hotlog : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.Spylog : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
C:\quarantine\1[1].exe.Vir -> Dropper.Bridge : Error during cleaning
C:\quarantine\A0009490.exe.Vir -> Proxy.Mitglieder.an : Error during cleaning
C:\quarantine\Dummy.class-7929669b-50022ce5.class.Vir -> Trojan.ClassLoader.Dummy.a : Error during cleaning
C:\quarantine\Dummy.class-7ebd305f-3f5f16c2.class.Vir -> Trojan.ClassLoader.Dummy.a : Error during cleaning
C:\quarantine\EXPLOIT[1].htm.Vir -> Downloader.Psyme.v : Error during cleaning
C:\quarantine\GetAccess.class-1ee08391-5af58bed.class.Vir -> Trojan.ClassLoader.c : Error during cleaning
C:\quarantine\GetAccess.class-7baff0cd-6896aab5.class.Vir -> Trojan.ClassLoader.c : Error during cleaning
C:\quarantine\GetAccess.class-7baff0cd-6b2698df.class.Vir -> Trojan.ClassLoader.c : Error during cleaning
C:\quarantine\InsecureClassLoader.class-553ec126-5cf56198.class.Vir -> Not-A-Virus.Exploit.Java.Bytverify : Error during cleaning
C:\quarantine\InsecureClassLoader.class-5aa0e7e2-60ca58dd.class.Vir -> Not-A-Virus.Exploit.Java.Bytverify : Error during cleaning
C:\quarantine\regsrv32.exe.Vir -> Dropper.Bridge : Error during cleaning
C:\quarantine\temkterodnk.exe.Vir -> Downloader.Small.cb : Error during cleaning
C:\quarantine\window.exe.Vir -> Proxy.Mitglieder.an : Error during cleaning
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP717\A0036222.tlb -> Downloader.Zlob.dr : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP717\A0036231.tlb -> Downloader.Zlob.dr : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP717\A0036237.exe -> Downloader.Zlob.dr : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP717\A0036255.exe -> Downloader.Zlob.bu : Cleaned with backup


::Report End

----------------------------
ActiveScan report
----------------------------

Incident Status Location

Adware:adware/wupd Not desinfected C:\PROGRAM FILES\Windows TaskAd


----------------------------
Hijack This logfile
----------------------------

Logfile of HijackThis v1.99.1
Scan saved at 01:18:48, on 04/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Ewido anti-malware\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Digital Camera\Nikon\NkView6\NkvMon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=wwwcache.cam.ac.uk:8080;http=wwwcache.cam.ac.uk:8080;https=wwwcache.cam.ac.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cam.ac.uk
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Digital Camera\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Games\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Games\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mrfixitonline.com
O15 - Trusted Zone: http://www.rtscentral.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = robinson.private.cam.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Thanks again
  • 0

#6
Flrman1
Posted 03 January 2006 - 10:14 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
* Click Here and download Killbox and save it to your desktop.


* Click here for info on how to boot to safe mode if you don't already know how.


* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to.


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Double-click on Killbox.exe to run it.
  • Put a tick by Standard File Kill.
  • In the "Full Path of File to Delete" box, copy and pastef the following line:

    C:\WINDOWS\System32\window.exe

  • Click on the button that has the red circle with the X in the middle.
  • It will ask for confimation to delete the file.
  • Click Yes.
  • Next in Killbox go to Tools > Delete Temp Files
  • In the window that pops up, put a check by ALL the options there except these three:
    • XP Prefetch
    • Recent
    • History
  • Now click the Delete Selected Temp Files button.
  • Exit the Killbox.

* Go to Control Panel > Internet Options.
Click on the Programs tab then click the "Reset Web Settings" button.
Click Apply then OK.


* Restart back into Windows normally now.


* Run ActiveScan online virus scan here

When the scan is finished, save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan
  • 0

#7
nickgall
Posted 04 January 2006 - 07:58 AM

nickgall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi,

thanks for the continued help. Killbox said that the file didn't seem to exist.

During ActiveScan my VirusScan has been popping up saying it has moved viruses etc into quarantine, these always being file names that I recognise as having been in quarantine to being with. After ActiveScan had finished the number of files in quarantine had jumped from 52 to 250. Is this normal?



ACTIVESCAN

Incident Status Location

Adware:adware/wupd Not disinfected C:\PROGRAM FILES\Windows TaskAd
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt[.xmts.net/]
Spyware:Cookie/Clickbank Not disinfected C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt[.clickbank.net/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Nick\Application Data\Mozilla\Firefox\Profiles\0hdtpd78.default\cookies.txt[]
Possible Virus. Not disinfected C:\Documents and Settings\Nick\My Documents\Audio\x-editing-x\CD to MP3\cdrip.exe
Possible Virus. Not disinfected C:\Program Files\Common Files\AOL\System Information\iecutil.dll






Logfile of HijackThis v1.99.1
Scan saved at 13:55:57, on 04/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Ewido anti-malware\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Digital Camera\Nikon\NkView6\NkvMon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=wwwcache.cam.ac.uk:8080;http=wwwcache.cam.ac.uk:8080;https=wwwcache.cam.ac.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cam.ac.uk
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Digital Camera\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Games\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Games\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mrfixitonline.com
O15 - Trusted Zone: http://www.rtscentral.com
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = robinson.private.cam.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#8
Flrman1
Posted 04 January 2006 - 10:07 AM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
Go ahead and delete the C:\PROGRAM FILES\Windows TaskAd folder.


Go here

Look at the top of the page where it says Select file.

Click on Browse

Navigate to the C:\Documents and Settings\Nick\My Documents\Audio\x-editing-x\CD to MP3 folder and upload the .... cdrip.exe .... file. Click Send and let us know what it finds.


Also upload this file:

C:\Program Files\Common Files\AOL\System Information\iecutil.dll


* Run Kaspersky online virus scan here.

When the scan is finished, Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan
  • 0

#9
nickgall
Posted 04 January 2006 - 05:14 PM

nickgall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here are the reports


This is a report processed by VirusTotal on 01/04/2006 at 17:51:53 (CET) after scanning the file "iecutil.dll" file.
Antivirus Version Update Result
AntiVir 6.33.0.74 01.04.2006 no virus found
Avast 4.6.695.0 01.03.2006 no virus found
AVG 718 01.03.2006 no virus found
Avira 6.33.0.74 01.04.2006 no virus found
BitDefender 7.2 01.04.2006 no virus found
CAT-QuickHeal 8.00 01.04.2006 no virus found
ClamAV devel-20051123 01.04.2006 no virus found
DrWeb 4.33 01.04.2006 no virus found
eTrust-Iris 7.1.194.0 01.04.2006 no virus found
eTrust-Vet 12.4.1.0 01.04.2006 no virus found
Ewido 3.5 01.03.2006 no virus found
Fortinet 2.54.0.0 01.04.2006 no virus found
F-Prot 3.16c 01.02.2006 no virus found
Ikarus 0.2.59.0 01.04.2006 no virus found
Kaspersky 4.0.2.24 01.04.2006 no virus found
McAfee 4666 01.03.2006 no virus found
NOD32v2 1.1351 01.03.2006 no virus found
Norman 5.70.10 12.31.2006 no virus found
Panda 9.0.0.4 01.04.2006 no virus found
Sophos 4.01.0 01.04.2006 no virus found
Symantec 8.0 01.04.2006 no virus found
TheHacker 5.9.2.067 01.02.2006 no virus found
UNA 1.83 01.02.2006 no virus found
VBA32 3.10.5 01.04.2006 no virus found


Scan results
File: cdrip.exe
Date: 01/04/2006 17:52:38 (CET)
----
AntiVir 6.33.0.74/20060104 found nothing
Avast 4.6.695.0/20060103 found nothing
AVG 718/20060103 found nothing
Avira 6.33.0.74/20060104 found nothing
BitDefender 7.2/20060104 found nothing
CAT-QuickHeal 8.00/20060104 found nothing
ClamAV devel-20051123/20060104 found nothing
DrWeb 4.33/20060104 found nothing
eTrust-Iris 7.1.194.0/20060104 found nothing
eTrust-Vet 12.4.1.0/20060104 found nothing
Ewido 3.5/20060103 found nothing
Fortinet 2.54.0.0/20060104 found [suspicious]
F-Prot 3.16c/20060102 found nothing
Ikarus 0.2.59.0/20060104 found nothing
Kaspersky 4.0.2.24/20060104 found nothing
McAfee 4666/20060103 found nothing
NOD32v2 1.1351/20060103 found nothing
Norman 5.70.10/20061231 found nothing
Panda 9.0.0.4/20060104 found nothing
Sophos 4.01.0/20060104 found nothing
Symantec 8.0/20060104 found nothing
TheHacker 5.9.2.067/20060102 found nothing
UNA 1.83/20060102 found nothing
VBA32 3.10.5/20060104 found nothing


-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, January 04, 2006 23:12:27
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/01/2006
Kaspersky Anti-Virus database records: 158721
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 64713
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 3188 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP717\A0036258.exe Infected: Trojan-Downloader.Win32.Zlob.dq

Scan process completed.




Logfile of HijackThis v1.99.1
Scan saved at 23:13:49, on 04/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Program Files\Ewido anti-malware\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Digital Camera\Nikon\NkView6\NkvMon.exe
C:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=wwwcache.cam.ac.uk:8080;http=wwwcache.cam.ac.uk:8080;https=wwwcache.cam.ac.uk:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.cam.ac.uk
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [PCTVRemote] C:\Program Files\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Digital Camera\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Games\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Games\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mrfixitonline.com
O15 - Trusted Zone: http://www.rtscentral.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro....er/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\Software\..\Telephony: DomainName = robinson.private.cam.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O17 - HKLM\System\CS1\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O17 - HKLM\System\CS2\Services\Tcpip\..\{18C70E04-9B3C-4361-A1AE-6F1022788CEF}: Domain = robinson.private.cam.ac.uk
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = robinson.private.cam.ac.uk,robinson.cam.ac.uk,cam.ac.uk,ac.uk
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#10
Flrman1
Posted 04 January 2006 - 06:00 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
How is everything now?
  • 0

Advertisements

#11
nickgall
Posted 04 January 2006 - 07:21 PM

nickgall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Things seem to be alright. I'm not getting anymore warnings etc from windows, but I am still a little worried about the single virus that the last scan found. Should I find the file and delete it?

Also what should I do about the 300+ files in my quarantine folder...is it ok to just leave them there? And finally, to prevent this sort of problem occuring in the future I am alright just following the helpful advice provided on the main website?

Thank you very much for your rapid help, it has been much appreciated.

Edited by nickgall, 04 January 2006 - 07:23 PM.

  • 0

#12
Flrman1
Posted 04 January 2006 - 07:40 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
The single virus that Kaspersky found is in System Restore. That is cleared by turning off System Restore. I always wait and do that as the very last step when everything else is clean just in case something goes wrong. If that happens, we still have restore points to restore to.

Go ahead and delete everything in the C:\quarantine folder.


Check this out for info on how to tighten your security settings and some good free tools to help prevent this from happening again.

Now turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.
  • 0

#13
nickgall
Posted 04 January 2006 - 08:34 PM

nickgall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I tried to delete the contents of the quarantine folder but VirusScan just popped up saying "virus detected" and moved all 26 files back into the quarantine.

Shall I just not worry about this and continue with the rest of your instructions?
  • 0

#14
Flrman1
Posted 04 January 2006 - 09:02 PM

Flrman1

    Malware Assassin

  • Retired Staff
  • 6,596 posts
You can empty it in safe mode then empty the recycle bin.
  • 0

#15
nickgall
Posted 05 January 2006 - 06:11 AM

nickgall

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
OK that's all done now. Thank you very much
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP