Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help with Vcodec Trojan

Started by severtomorrow , Nov 15 2006 01:39 PM

  • This topic is locked This topic is locked

#1
severtomorrow
Posted 15 November 2006 - 01:39 PM

severtomorrow

    New Member

  • Member
  • Pip
  • 8 posts
Hi everyone. I think it's about time I admit defeat. As near as I can tell I have been infected with some kind of Vcodec trojan (and maybe other junk as well). I keep getting a fake system alert pop-up that reads "Trojan-Spy.Win32@mx" (I know it is fake because it spells balloon as baloon...) as well as a Critical Alert window claiming I have something called Spyware.CyberLog-X. Pretty much everything that pops up tells me I have some sort of Trojan or piece of spyware and all have little "Click here to download antispyware" buttons. Also, there are occasional [bleep] popups and my browser has been hijacked (leads to eprotectpage.com). I have run ATF cleaner, set a system restore point, run Ad-aware SE, Spybot S&D, and AVG Anti-Spyware (Ewido). Each spyware program got rid of a ton of stuff, but none of it was relevant to the problem I am encountering. Usually Ad-aware easily finds browser hijacks, but no luck this time. I have found Vcodec solutions on this forum as well as others, and I tried to follow them, but there were significant differences between what I have and what those others had. I can see this Quality Codec thing in my hijackthis log, and after looking around on the internet I found it could be linked to this Vcodec thing. I didn't delete it lest I wind up pooching things. Norton is not coming up with anything, and as I've said the spyware programs (Ewido in safe-mode) deleted a bunch of stuff, but none of it was related to this junk. I also have fake Online Security Guide and Security Troubleshooting icons on the desktop and in the start menu. Windows Update has installed SP1a (it's telling me to update to SP2, but from what I've read here that's not a good idea until I get rid of everything). There are also Quality Codec, VirusBursters and Winantispyware2006 folders on my computer. We're so careful about everything, I can't believe how badly we've been infected! Below are my HijackThis, Panda ActiveScan and Ewido logs:

Logfile of HijackThis v1.99.1
Scan saved at 2:06:01 PM, on 15/11/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QualityCodec\isamonitor.exe
C:\Program Files\QualityCodec\pmsngr.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\QualityCodec\pmmon.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\QualityCodec\isamini.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Timothy\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...t...c01&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...t...c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...t...c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {192c5b4a-3efd-40c7-9f99-c472deb8efc0} - C:\Program Files\QualityCodec\isaddon.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {A21CCB86-75EC-4831-9EA4-E8BA93C0974B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-...sapplet-epf.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1150932961531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1150932952216
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: vistax - vistax.dll (file missing)
O21 - SSODL: bonspells - {11853d5f-f894-4cc7-bbc3-fc7a9dcfd896} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

_________________________________________________________________________________________

Panda Activescan:

Incident Status Location

Adware:Adware/iVideoCodec Not disinfected C:\Program Files\QualityCodec\pmmon.exe
Adware:adware/safetybar Not disinfected c:\documents and settings\all users\desktop\Online Security Guide.url
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Mom & Dad\Local Settings\Temporary Internet Files\Content.IE5\I7ANIHQL\eprotectpage[1]
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Mom & Dad\Local Settings\Temporary Internet Files\Content.IE5\I7ANIHQL\eprotectpage[2]
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Mom & Dad\Local Settings\Temporary Internet Files\Content.IE5\I7ANIHQL\eprotectpage[3]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Timothy\Cookies\timothy@drivecleaner[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Timothy\Cookies\timothy@mediaplex[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Timothy\Cookies\[email protected][1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Timothy\Cookies\[email protected][2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Timothy\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\Timothy\Local Settings\Temporary Internet Files\Content.IE5\EP6N0RUZ\WinAntiVirusPro2006FreeInstall[1].exe
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Timothy\Local Settings\Temporary Internet Files\Content.IE5\U5CXO74D\eprotectpage[2]
Possible Virus. Not disinfected C:\Program Files\Music Collector\FlicAPI.dll
Adware:Adware/QualityCodec Not disinfected C:\Program Files\QualityCodec\iesplugin.dll
Adware:Adware/QualityCodec Not disinfected C:\Program Files\QualityCodec\uninst.exe
Adware:Adware/VirusBurst Not disinfected C:\Program Files\VirusBursters\VirusBursters.exe
_________________________________________________________________________________________

Ewido:

HKLM\SOFTWARE\Classes\CLSID\{11853d5f-f894-4cc7-bbc3-fc7a9dcfd896} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Explorer Security Plugin 2006 -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Security Add-On -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Public Messenger ver 2.03 -> Adware.IntCodec : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{12855640-7D70-4BD9-BBEA-F3A6839FBAEA}\RP156\A0013990.exe -> Backdoor.Haxdoor.jp : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom & Dad\Local Settings\Temp\Temporary Internet Files\Content.IE5\VWSHSDGU\popup[2].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom & Dad\Local Settings\Temp\Temporary Internet Files\Content.IE5\VWSHSDGU\popup[3].php -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom & Dad\Application Data\winantispyware2006freeinstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\Documents and Settings\Timothy\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.

Thanks in advance to anyone who can help!
Tim
  • 0

Advertisements

#2
Daemon
Posted 15 November 2006 - 02:47 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP - your log shows no evidence of this update. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...;DisplayLang=en
Apply the update, reboot, and post a fresh Hijack This log.

Edited by Daemon, 15 November 2006 - 02:48 PM.

  • 0

#3
severtomorrow
Posted 15 November 2006 - 09:10 PM

severtomorrow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hi Daemon, thanks for the quick response. I'm really sorry about that, I could have sworn I had SP1a on here a long time ago (maybe that's why I got infected!) Windows Update is urging for SP2, so I just assumed... Anyhow, it's all done now. Here's the new log:

Logfile of HijackThis v1.99.1
Scan saved at 10:04:48 PM, on 15/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\QualityCodec\isamonitor.exe
C:\Program Files\QualityCodec\pmsngr.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\QualityCodec\pmmon.exe
C:\Program Files\QualityCodec\isamini.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Timothy\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presari...t...c01&lc=0409
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...t...c01&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...t...c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {192c5b4a-3efd-40c7-9f99-c472deb8efc0} - C:\Program Files\QualityCodec\isaddon.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {A21CCB86-75EC-4831-9EA4-E8BA93C0974B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-...sapplet-epf.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1150932961531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1150932952216
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: vistax - vistax.dll (file missing)
O21 - SSODL: bonspells - {11853d5f-f894-4cc7-bbc3-fc7a9dcfd896} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Thanks again for your help, I really appreciate it.
Tim
  • 0

#4
Daemon
Posted 16 November 2006 - 04:45 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK, good. Click here to download smitRem.exe and save the file to your desktop. Double click on the file to extract it to it's own folder on the desktop.

Next reboot into Safe Mode. You can get there by restarting your computer and continually tapping F8 until a menu appears. Use your arrow to highlight Safe Mode then hit enter.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. The tool will create a log named smitfiles.txt in the root of your drive (where your operating system is installed). You will need that log later.

Next click Start>Settings>Control Panel>Display>Desktop>Customize Desktop>Web and uncheck "Security Info" if present.

Reboot back into Normal Mode and rescan with HijackThis.

Paste the contents of a new HijackThis Log, the contents of smitfiles.txt in your next reply.
  • 0

#5
severtomorrow
Posted 17 November 2006 - 01:51 PM

severtomorrow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey,
I ran smitRem in safe mode and everything was going fine. The disc cleanup came on and was running very slowly. I know sometimes it can take a couple hours, so I let it run overnight. This morning, however, it was still at the same point it was last night, but it wasn't frozen (it said "running" in the processes window and you could move the window around adn minimize it and such). It was calculating how much memory it could free up if it compressed files and it just stayed there. Before I left for work this morning I tried to run the disc cleanup seperately, but it would not start at all (just an hourglass for a couple seconds, then nothing). I can get it to start in regular mode, but it just sits at the same spot, though it doesn't freeze. Do I absolutely need the disc cleanup to do its thing before proceeding? Incidentally, I know it's been a while since we did a defrag or a cleanup, but that thing must have run for close to ten hours and got nowhere.

Thanks again,
Tim
  • 0

#6
Daemon
Posted 19 November 2006 - 05:47 AM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Post the logs I requested and I'll check what still needs to be done.
  • 0

#7
severtomorrow
Posted 19 November 2006 - 12:11 PM

severtomorrow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay. I guess one of AVG Antispyware's updates was able to get the majority of what I had, because I ran it again and it seems to have gotten most of the malware (browser hijack gone, pop-ups and fake system errors gone). However, I can still see traces of this Quality Codec thing and according to my latest Panda scan there are still quite a few evil programs left over, though at the moment they don't seem to be doing anything.


smitRem © log file
version 3.2

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: 17/11/2006
The current time is: 14:30:51.71

Running from
C:\Documents and Settings\Timothy\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Appinitdll check ........ Thank you Grinler!

dumphive.exe ©2000-2004 Markus Stephany
REGEDIT4

[Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

XP Firewall allowed access

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!


checking for drsmartload2 key


drsmartload2 key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
AntiVermins uninstaller NOT present
VirusBursters uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 672 'explorer.exe'
Killing PID 672 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~



~~~ Wininet.dll ~~~

CLEAN! :whistling:

____________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 1:02:29 PM, on 19/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\BenQ\QMusic2\QMAgent.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_03\bin\jucheck.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Timothy\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...t...c01&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QMusic2] "C:\Program Files\BenQ\QMusic2\QMAgent.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyStartUp] c:\Program Files\Microsoft Money\System\Money Startup.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Support - {A21CCB86-75EC-4831-9EA4-E8BA93C0974B} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: TruePass EPF 7,0,100,717 - https://blrscr3.egs-...sapplet-epf.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1150932961531
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1150932952216
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: vistax - vistax.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

________________________________________________________

And, just to be safe, this is the Activescan report:

Incident Status Location

Adware:Adware/iVideoCodec Not disinfected C:\Program Files\QualityCodec\pmmon.exe
Adware:adware/safetybar Not disinfected c:\documents and settings\all users\desktop\Online Security Guide.url
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Mom & Dad\Local Settings\Temporary Internet Files\Content.IE5\I7ANIHQL\eprotectpage[1]
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Mom & Dad\Local Settings\Temporary Internet Files\Content.IE5\I7ANIHQL\eprotectpage[2]
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Mom & Dad\Local Settings\Temporary Internet Files\Content.IE5\I7ANIHQL\eprotectpage[3]
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Timothy\Cookies\timothy@drivecleaner[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Timothy\Cookies\timothy@mediaplex[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Timothy\Cookies\[email protected][1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Timothy\Cookies\[email protected][2].txt
Spyware:Cookie/Winantivirus Not disinfected C:\Documents and Settings\Timothy\Cookies\[email protected][1].txt
Potentially unwanted tool:Application/Winantivirus2006 Not disinfected C:\Documents and Settings\Timothy\Local Settings\Temporary Internet Files\Content.IE5\EP6N0RUZ\WinAntiVirusPro2006FreeInstall[1].exe
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Timothy\Local Settings\Temporary Internet Files\Content.IE5\U5CXO74D\eprotectpage[2]
Possible Virus. Not disinfected C:\Program Files\Music Collector\FlicAPI.dll
Adware:Adware/QualityCodec Not disinfected C:\Program Files\QualityCodec\iesplugin.dll
Adware:Adware/QualityCodec Not disinfected C:\Program Files\QualityCodec\uninst.exe
Adware:Adware/VirusBurst Not disinfected C:\Program Files\VirusBursters\VirusBursters.exe

Thanks again
  • 0

#8
Daemon
Posted 19 November 2006 - 12:20 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK, let's get rid of the stragglers.

Using Windows Explorer, find and delete these folders:

C:\Program Files\QualityCodec
C:\Program Files\VirusBursters

Click here to download System Security Suite. Extract it from the zip file into a folder and doubleclick on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. You will be prompted to reboot, do so.

Let me know if they are still showing up.
  • 0

#9
severtomorrow
Posted 19 November 2006 - 04:45 PM

severtomorrow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Well, things are definitely looking better. I was not able to find C:\Program Files\QualityCodec or
C:\Program Files\VirusBursters, but I ran SSS anyway, and now they don't appear on the Activescan log, so I guess that program got them. I notice there are still some cookies and temp files that I figured SSS would have deleted when it got rid of everything else. Is this because we have three separate users on XP? Do I need to run this on each account to get rid of everything? Aside from that, everything looks good to me, but I figured I'd post the latest activescan just to be sure.

Incident Status Location

Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mom & Dad\Cookies\mom & dad@drivecleaner[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mom & Dad\Cookies\mom & [email protected][2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Mom & Dad\Cookies\mom & [email protected][2].txt
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Mom & Dad\Local Settings\Temporary Internet Files\Content.IE5\GLIH4J85\eprotectpage[2]
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Mom & Dad\Local Settings\Temporary Internet Files\Content.IE5\I7ANIHQL\eprotectpage[1]
Adware:Adware/PestTrap Not disinfected C:\Documents and Settings\Mom & Dad\Local Settings\Temporary Internet Files\Content.IE5\I7ANIHQL\eprotectpage[2]
Adware:Adware/QualityCodec Not disinfected C:\Documents and Settings\Timothy\Desktop\hijackthis\backups\backup-20061110-220951-273.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Timothy\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Timothy\Desktop\smitRem.exe[smitRem/Process.exe]
Possible Virus. Not disinfected C:\Program Files\Music Collector\FlicAPI.dll
Thanks again for all your help and hard work,
Tim
  • 0

#10
Daemon
Posted 19 November 2006 - 04:59 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
Yes, run SSS on all your user accounts and that will clean it up. Do this also. Go to Jotti's malware scan

Copy and paste the following file path into the "File to upload & scan" box on the top of the page:

C:\Program Files\Music Collector\FlicAPI.dll

Click on the submit button. Please post the results in your next reply.
  • 0

Advertisements

#11
severtomorrow
Posted 21 November 2006 - 12:52 PM

severtomorrow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Alrighty. After several more scans on the different desktops, it appears that I am clean! I just finished running an activescan report and it showed the following:

Incident Status Location

Adware:Adware/QualityCodec Not disinfected C:\Documents and Settings\Timothy\Desktop\hijackthis\backups\backup-20061110-220951-273.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Timothy\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Timothy\Desktop\smitRem.exe[smitRem/Process.exe]
Possible Virus. Not disinfected C:\Program Files\Music Collector\FlicAPI.dll
I had looked up FlicAPI.dll on the music collector website and it said it sometimes shows up as a false positive. Nevertheless, I ran it through jotti and it came back negative (Status OK). The only thing I am curious about is the QualityCodec in the hijackthis backup. There are also some virusbursters icons on one of the desktops, but the icons themselves are missing, so I'm assuming they're just leftovers that don't actually point to anything. Can I just manually remove this from the desktop and the start menu? Other than that, I think everything's good.

Thanks a lot,
Tim
  • 0

#12
Daemon
Posted 21 November 2006 - 01:45 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
I still need to see the results of the Jotti scan.
  • 0

#13
severtomorrow
Posted 22 November 2006 - 12:52 PM

severtomorrow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Sorry, I didn't see any "print report" feature so I figured it didn't matter as long as it was negative. I ran it again and just copied and pasted the results.

File: FlicAPI.dll
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 dab080fc569bd27d8e8a50bcea63639e
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found nothing
  • 0

#14
Daemon
Posted 22 November 2006 - 04:04 PM

Daemon

    Security Expert

  • Retired Staff
  • 4,356 posts
  • MVP
OK good. You can delete the HJT backups and manually remove any virusbursters stragglers. Is it still running OK?
  • 0

#15
severtomorrow
Posted 22 November 2006 - 10:53 PM

severtomorrow

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Everything's hunky dory on this end Daemon. Thanks for all your help!

Tim
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP