i did all that was asked... and it all worked untill the end of the scan.. a windows message popped up and exited out of the scanner... then, out of safe mode, when i went back in to ewido and tryed to scan again.. the same thing happened. i looked through the quarantine, there were many files that were infected. i wasnt able to copy that list but i got all the rest of copyable things...lol
---------------------------------------------------------
ewido security suite - Startup report
---------------------------------------------------------
+ Created on: 12:52:45 AM, 5/8/2005
+ Report-Checksum: FB422B96
Reg\HKLM\Run BPT "C:\Program Files\Bpt\bpt.exe"
Reg\HKLM\Run ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Reg\HKLM\Run diagent "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
Reg\HKLM\Run UpdReg C:\WINDOWS\UpdReg.EXE
Reg\HKLM\Run AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
Reg\HKLM\Run NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Reg\HKLM\Run rtbcxees C:\WINDOWS\xmsqbdxa.exe
Reg\HKLM\Run MWEO C:\WINDOWS\MWEO.exe
Reg\HKLM\Run MXEPAKUCM C:\WINDOWS\MXEPAKUCM.exe
Reg\HKLM\Run JTBO C:\WINDOWS\JTBO.exe
Reg\HKLM\Run JUBM C:\WINDOWS\JUBM.exe
Reg\HKLM\Run t C:\WINDOWS\System32\uagnek.exe
Reg\HKLM\Run Antivirus C:\WINDOWS\av.exe
Reg\HKLM\Run BCMSMMSG BCMSMMSG.exe
Reg\HKLM\Run ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
Reg\HKLM\Run QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
Reg\HKLM\Run vptray C:\PROGRA~1\SYMANT~1\VPTray.exe
Reg\HKLM\Run Visual Element Fx C:\WINDOWS\system32\X1002142005.exe
Reg\HKLM\Run Windows Logon Procedure SVCHOSTA.EXE
Reg\HKLM\Run cfgmgr51 RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
Reg\HKLM\Run DI2 "C:\DOCUME~1\Josh\LOCALS~1\Temp\27.exe\27.exe"
Reg\HKLM\Run djxbnj c:\windows\system32\djxbnj.exe
Reg\HKLM\Run gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Reg\HKLM\Run jqzruepk c:\windows\system32\jqzruepk.exe -start
Reg\HKLM\Run G3 C:\WINDOWS\system32\GSMedia3.exe
Reg\HKCU\Run MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Reg\HKCU\Run NvMediaCenter RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
Reg\HKCU\Run ewxqRgf7l wowtsn32.exe
Reg\HKCU\Run Instant Access rundll32.exe EGDACCESS_1058.dll,InstantAccess
Shell\CommonStartup Adobe Gamma Loader.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
Shell\CommonStartup Microsoft Office.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
Shell\CommonStartup Symantec Fax Starter Edition Port.lnk C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Symantec Fax Starter Edition Port.lnk
i was able to scan the memory successfully
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 12:54:05 AM, 5/8/2005
+ Report-Checksum: 2CCFD093
+ Date of database: 5/8/2005
+ Version of scan engine: v3.0
+ Duration: 26 s
+ Scanned Files: 9
+ Speed: 0.34 Files/Second
+ Infected files: 3
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 3
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
Memory
+ Scan result:
C:\WINDOWS\system32\hrl2053oe.dll / PID: 240 -> Spyware.Look2Me.ab -> Error during cleaning
C:\WINDOWS\system32\iertrmgr.dll / PID: 768 -> Spyware.Look2Me.ab -> Error during cleaning
C:\WINDOWS\system32\iertrmgr.dll / PID: 844 -> Spyware.Look2Me.ab -> Error during cleaning
::Report End
---------------------------------------------------------
ewido security suite - Process report
---------------------------------------------------------
+ Created on: 5:20:59 PM, 5/8/2005
+ Report-Checksum: 69A48FF9
0: System Process
4: System Process
404: C:\Program Files\Symantec AntiVirus\Rtvscan.exe
428: System Process
460: C:\WINDOWS\System32\MsPMSPSv.exe
480: C:\Program Files\ewido\security suite\ewidoguard.exe
604: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
736: C:\WINDOWS\Explorer.EXE
892: \SystemRoot\System32\smss.exe
944: System Process
968: \??\C:\WINDOWS\system32\winlogon.exe
1016: C:\WINDOWS\system32\services.exe
1028: C:\WINDOWS\system32\lsass.exe
1192: C:\WINDOWS\system32\svchost.exe
1240: System Process
1364: C:\WINDOWS\System32\svchost.exe
1400: C:\WINDOWS\system32\rundll32.exe
1444: System Process
1560: System Process
1708: C:\WINDOWS\system32\spoolsv.exe
1800: C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
1820: C:\WINDOWS\System32\CTsvcCDA.exe
1836: C:\Program Files\Symantec AntiVirus\DefWatch.exe
1872: C:\Program Files\ewido\security suite\ewidoctrl.exe
1948: C:\WINDOWS\System32\nvsvc32.exe
1964: C:\Program Files\Symantec AntiVirus\SavRoam.exe
2036: C:\WINDOWS\System32\svchost.exe
2336: C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
2424: C:\Program Files\Microsoft Office\Office\WINWORD.EXE
2588: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
2604: C:\WINDOWS\BCMSMMSG.exe
2628: C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
2636: C:\Program Files\QuickTime\qttask.exe
2656: C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2692: C:\PROGRA~1\SYMANT~1\VPTray.exe
2704: C:\WINDOWS\system32\X1002142005.exe
2852: C:\WINDOWS\system32\wowtsn32.exe
2968: C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
3120: C:\WINDOWS\system32\RUNDLL32.EXE
3204: C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
3328: C:\WINDOWS\msagent\AgentSvr.exe
3448: C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
3488: C:\Program Files\Messenger\msmsgs.exe
3808: C:\Program Files\Microsoft Office\Office\WINWORD.EXE
4088: C:\Program Files\ewido\security suite\securitysuite.exe
and heres the hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 12:55:39 AM, on 5/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Josh\My Documents\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.begin2sea...sidesearch.htmlR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.att.net/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [rtbcxees] C:\WINDOWS\xmsqbdxa.exe
O4 - HKLM\..\Run: [MXEPAKUCM] C:\WINDOWS\MXEPAKUCM.exe
O4 - HKLM\..\Run: [MWEO] C:\WINDOWS\MWEO.exe
O4 - HKLM\..\Run: [JUBM] C:\WINDOWS\JUBM.exe
O4 - HKLM\..\Run: [JTBO] C:\WINDOWS\JTBO.exe
O4 - HKLM\..\Run: [t] C:\WINDOWS\System32\uagnek.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\system32\X1002142005.exe
O4 - HKLM\..\Run: [Windows Logon Procedure] SVCHOSTA.EXE
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\Josh\LOCALS~1\Temp\27.exe\27.exe"
O4 - HKLM\..\Run: [djxbnj] c:\windows\system32\djxbnj.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [jqzruepk] c:\windows\system32\jqzruepk.exe -start
O4 - HKLM\..\Run: [G3] C:\WINDOWS\system32\GSMedia3.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ewxqRgf7l] wowtsn32.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Search -
http://bar.mywebsear...?p=ZCxdm231YYUSO9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft....467&clcid=0x409O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cabO16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) -
http://www.sibelius....tiveXPlugin.cabO16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) -
https://www.stopzill...ller/dwnldr.cabO16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://download.game...aploader_v6.cabO18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\cffgnt.dll (file missing)
O20 - Winlogon Notify: OptimalLayout - C:\WINDOWS\system32\hrl2053oe.dll
O21 - SSODL: NTDBGTOOL - {934B0500-F563-48A6-9353-E57BCB61AE76} - C:\WINDOWS\system32\dssercp.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
im still getting the pop ups ... and the firewall is still down and unreachable
its getting better though!! thanks