been fighting multiple worms/trojans

I've been working for a couple of weeks cleaning my kids' computer. I've gone through the recommended cleaning process before posting here; though not confident everything has been fixed. The logs don't show all of the trojans/worms that I've cleaned off...sorry I don't remember what they were. I didn't think to write them down when using Norton and Ad-aware initially.

Most recent steps followed:

1 - Did ATF cleaner, but didn't realize it didn't automatically clean each user accounts' folders. Later went back and deleted temp files, cookies, history, etc. manually for each user account.

2 - Created a System Restore point.

3 - Ran AVG Anti-Spyware. Got anxious before reading all instructions and accidentally ran it first in Normal mode and deleted files instead of quarantining them (scan found 82 malware items). Ran it a second time in Safe mode.

4 - Ran SUPERAntiSpyware (log posted below).

5 - Ran Online-Panda Activescan (log posted below). Was unable or not smart enough to get Panda to fix what it found without buying program.

6 - I've stayed up to date on Windows updates...have XP Service Pack 2.

7 - Ran Hijack This (log posted below).

I greatly appreciate what you guys do, and I thank you in advance for your help. I've tried to do my best so as not to waste anyone's time, but I realize these problems go beyond my understanding. (remembering the old days of DOS when I could fix things easily).

--------------------------------------
SUPERAntiSpyware log:

SUPERAntiSpyware Scan Log
Generated 03/02/2008 at 08:39 PM

Application Version : 3.6.1000

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 02:05:23

Memory items scanned : 525
Memory threats detected : 0
Registry items scanned : 5844
Registry threats detected : 0
File items scanned : 80596
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Bill & Nancy\Cookies\bill & [email protected][1].txt
C:\Documents and Settings\Bill & Nancy\Cookies\bill & nancy@burstnet[2].txt
C:\Documents and Settings\Bill & Nancy\Cookies\bill & [email protected][1].txt
C:\Documents and Settings\Connor\Cookies\connor@adinterax[2].txt
C:\Documents and Settings\Connor\Cookies\connor@adlegend[1].txt
C:\Documents and Settings\Connor\Cookies\connor@adrevolver[1].txt
C:\Documents and Settings\Grant\Cookies\grant@windowsmedia[1].txt
C:\Documents and Settings\Silkey\Cookies\silkey@adecn[1].txt
C:\Documents and Settings\Silkey\Cookies\silkey@specificclick[1].txt
C:\Documents and Settings\Silkey\Cookies\silkey@tripod[2].txt

Worm.Alcra Variant
C:\WINDOWS\SYSTEM32\NETSTAT.COM
C:\WINDOWS\SYSTEM32\TASKKILL.COM

--------------------------------------

Panda Activescan log:

Incident Status Location

Adware:adware/windowenhancer Not disinfected c:\windows\system32\SBUtils
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.overture.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Linksynergy Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.linksynergy.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.tradedoubler.com/]
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.go.com/]
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.perf.overture.com/]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[statse.webtrendslive.com/]
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.bluestreak.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.belnk.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\Lauren\Application Data\Mozilla\Firefox\Profiles\nz0noxif.default\cookies.txt[.bfast.com/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Silkey\Cookies\silkey@bravenet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Silkey\Cookies\silkey@com[1].txt
----------------------------------
Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:13:37 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Cyb2k.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http:///
O1 - Hosts: 1.1.1.1 viruslist.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 virusscan.jotti.org
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3Tray2.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [C2K] C:\WINDOWS\Cyb2k.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ibmmessages] C:\Program Files\IBM\Messages By IBM\ibmmessages.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster Gold 17\Remind.exe
O4 - Global Startup: Wireless-G Notebook Adapter.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Gcc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1139615603012
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: IBM KCU Service (TpKmpSVC) - Unknown owner - C:\WINDOWS\system32\TpKmpSVC.exe

--
End of file - 11729 bytes
------------------------------------------

Thank you in advance!!

#1
hijode

Posted 10 March 2008 - 10:13 PM

Advertisements

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us