Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Can't fully remove popup virus "Trojan.win 32.obfuscated.gx&q


  • This topic is locked This topic is locked

#1
JOROMO

JOROMO

    Member

  • Member
  • PipPip
  • 12 posts
Hello kind expert,

I was unlucky enough to encounter this awesome "Trojan.win 32.obfuscated.gx" virus. Received like everyone else, by trying to download an "Active X codec" package.

Now when ever I access anything I see the following prompt: "You system was infected by dangerous trojan. Note: your critical files can be lost!" (I'm sure you're familiar with this.)Click OK and it then proceeds to scan the system and install a program, in my case "File Secure". And of course tells you to pay money to remove the threat. etc..... This program couldn't be removed in the "add/remove" control panel.

Here's what I tried so far.....

First I ran Norton, which is up to date and fuctioning. It found nothing.

After searching a little I came across the DDS program on geekstogo. This scan stopped near the end and could not complete. I became suspicious and removed both the Hijackthis and DDS programs. Luckily, my search brough me back to geekstogo and this time I found the following posting, which listed a long process to remove the malware successfully.

http://www.geekstogo...gx-t187118.html

So i dug further to happily find the automated 'FixIEDef' application. At first I though it had work perfectly. It gave me a readout that stated it had found a virus and removed it. (I didn't get a copy, but i assume it removed the the "File Secure" program). When the virus popup persisted I ran it a second time. This time it read......

* *
* FixIEDef Log *
* Version 1.3.10.3351 *
* *
********************************************************************************

Created at 14:24:58 on Monday, April 07, 2008

Time Zone : (GMT-05:00) Eastern Time (US & Canada)

Operating System : Microsoft Windows XP Professional
Service Pack Level: Service Pack 2
System Langauge : English
Processor : X86
Boot State : Normal boot

--------------------------------------------------------------------------------

!!! Files that have been deleted !!!

No malicious files found

--------------------------------------------------------------------------------

!!! Directories that have been removed !!!

No malicious directories to be removed

--------------------------------------------------------------------------------

!!! Registry entries that have been removed !!!

No malicious Registry entries found

================================================================================

All Done :)
ShadowPuterDude



I'm still seeing the popup every time I enter a browser menu. So it occurred to me that this virus could have morphed and that the FixIEDef mat not be able to deal with it fully. Thus, I'm looking for further help. In preparation I've done the following requested steps so far:

1. Run the ATF cleaner utility
2. Set system restore point (could find the option to clear the old ones, despite your included directions)
3. Ran Norton Antivirus again. Important, it first told me that it had successfully resolved the "IEDefender" virus (your software) which I confirmed stupidly. Did I negate the fix that the IEDef had done? Hope not. Ran Norton once more and also found "Adware.ZangoSearch " quoted a low level threat which wasn't being accessed by any outside parties. I removed/quarantined it anyway.
4. Ran Panda ActiveScan

Here's the ActiveScan readout: (below it is the Hijackthis readout and the Uninstall list requested)

ANALYSIS: 2008-04-07 17:44:17
PROTECTIONS: 1
MALWARE: 23
SUSPECTS: 1
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
Norton Internet Security 2007 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.trafficmp.com/]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.trafficmp.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.doubleclick.net/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Cookies\jonathan moore@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Cookies\jonathan moore@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.atdmt.com/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.mediaplex.com/]
00146967 Cookie/PayCounter TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.paycounter.com/]
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.clickbank.net/]
00167749 Cookie/Toplist TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.toplist.cz/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.apmebf.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.bs.serving-sys.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Cookies\jonathan moore@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.advertising.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.ads.pointroll.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.overture.com/]
00170554 Cookie/Overture TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.overture.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.realmedia.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.realmedia.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.questionmarket.com/]
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Application Data\Mozilla\Firefox\Profiles\e7lhknzr.default\cookies.txt[.adrevolver.com/]
00207862 Cookie/did-it TrackingCookie No 0 Yes No F:\Documents and Settings\Jonathan Moore\Cookies\jonathan moore@did-it[1].txt
02905717 Adware/Zango Adware No 0 Yes No F:\System Volume Information\_restore{2BFCCAB7-3601-4A69-A2C2-297B96260227}\RP73\A0023031.exe
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location
;===============================================================================
================================================================================
=
===================
No F:\WINDOWS\CNDR32A.DLL
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description


And the HiJackThis notpad log.....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:43:58 PM, on 4/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\RUNDLL32.EXE
F:\Program Files\Analog Devices\Core\smax4pnp.exe
F:\Program Files\Analog Devices\SoundMAX\Smax4.exe
F:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
F:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
F:\WINDOWS\system32\nvsvc32.exe
F:\WINDOWS\system32\PnkBstrA.exe
F:\WINDOWS\system32\PnkBstrB.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
F:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
F:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: FLW Viewer - {38E4618F-E3E4-42E9-925F-6B02C798BD94} - F:\WINDOWS\cndr32a.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - F:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE F:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] F:\WINDOWS\System32\M-AudioTaskBarIcon.exe
O4 - HKLM\..\Run: [SoundMAXPnP] F:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "F:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [JMB36X IDE Setup] F:\WINDOWS\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [36X Raid Configurer] F:\WINDOWS\system32\xRaidSetup.exe boot
O4 - HKLM\..\Run: [Ai Nap] "F:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "F:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [Google Desktop Search] "F:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = F:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ASUS WiFi-AP Solo.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = F:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - F:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - F:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - F:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - F:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - F:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - F:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - F:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Symantec Core LC - Unknown owner - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6887 bytes


The HiJack "Unistall" list......

Adobe Reader 7.0
AI Suite
Alesis iO Firewire
AppCore
Apple Mobile Device Support
Apple Software Update
Arturia Minimoog V v1.0
ASUS WiFi-AP Solo
ASUSUpdate
AV
AVS DVD Player version 2.3
Battlefield 2142
Call of Duty® 2
ccCommon
Delta
Digidesign Shared Plug-Ins
FFOLKES Unlocks mod v1.20c for BF2142
Google Desktop Search
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
InterVideo DVDCopy5
iTunes
JMB36X Raid Configurer
Lexicon Pantheon Reverb DX
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Marvell Miniport Driver
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.13)
MSRedist
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
Oddity v1.0-OxYGeN
PACE System Files
Panda ActiveScan 2.0
PC Probe II
QuickTime
Reason 4.0
Rhino 2.0
Rob Papen Albino 3
Rob Papen BLUE V1.02
Rob Papen Predator V1.1.0
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
SONAR 7 Producer Edition
SoundMAX
SPBBC 32bit
SymNet
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Virtual Cable Tester
Windows Driver Package - Alesis (AlesisFirewire) MEDIA (06/29/2007 3.0.0.56)
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781


Hopefully this is enough info to work with. I did not yet download or run AVG or SUPWERantisyware yet, simply because I didn't want it to confilct with Norton. Sorry if I hastily ran/removed anything prematurely. I didn't realize the implications until later.
Thanks for the time you put in. This is an amazing service! I'll be waiting.

Cheers!
JOROMO

Edited by JOROMO, 07 April 2008 - 05:09 PM.

  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
JOROMO

JOROMO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok, I ran the DDS.exe and it stopped at 80% with a windows error on "Examining Event Logs."

Error read: "dds.exe has encountered a problem and need to close. We are sorry for the inconvenience"

Error report details:
AppName: dss.exe AppVer: 3.2.8.1 ModName: ntdll.dll
ModVer: 5.1.2600.2180 Offset: 00011bf4

The only info the windows report would allow me you capture from the "error reports contents" is:
"The following files will be included in this error report"
F:\DOCUME~1\JONATH~1\LOCALS~1\Temp\1332_appcompat.txt

For some reason I could not copy/paste the full log.
I did not send the report to Microsoft.
This is the same spot the dds stopped with error the last time I tried running it...which was actually the first attempt made at fixing the bug.
  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Try this instead

Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Under Additional Scans check the boxes beside Reg - App Paths, Reg - Bot Check, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Additional Folder Scans, File - Lop Check, and File - Purity Scan.
  • Under Drivers change it to Non-Microsoft.
  • Check the box beside Scan All User Accounts at the top
  • Under Files Created Within and Files Modified Within change it to 90 days.
  • Now click the Run Scan button on the toolbar.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
  • 0

#5
JOROMO

JOROMO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Got the OTScan but I don't see any option to attach or upload a file here or in my "controls" (feel kinda silly):)
  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Use Add Reply

Click Browse then navigate to the report, select it, click Upload

Thats it :)
  • 0

#7
JOROMO

JOROMO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Ok, It appears I may have a Firefox setting in place or something that's removed any "browse" or attach option from my "Add Reply" screen.
I've attached and sent the CTScan to my work address so I can at least try from there. Please describe exactly where on the page the browse/attach option should be so my brain doesn't explode from searching (haha). TTYS.
  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
It is under the dialog box after you press Add Reply, you will see a panel for attachments

If you can't upload it then host it on a site like mediafire.com and post the link here
  • 0

#9
JOROMO

JOROMO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Indeed, using Internet Explorer all the functionality of the messenging is available. The layout of this page is completely different using the Firefox version on my infected home PC. It may need an update. Maybe you know of a layout setting I need to tweak in Firefox....the current format looks like plain text with no borders or shading, thus all the message options surrounding the text box are removed. Odd.

in any case, I managed to attach and send the temp 1KB scan file to my work mail (instead of the actual 230KB scan) so what I just uploaded is likely blank. I'll send the useful one when I get home from work at 6:00 EST. Thanks again....especially for the patience.

JM

Attached Files


  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yep it's blank

I will wait for the 230kb one, no rush :)
  • 0

Advertisements


#11
JOROMO

JOROMO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Couldn't fix Firefox. Just installed Explorer.....when using this browser I see that virus pop up every time I breath wrong. Here's the Scan my man. Sorry for the delay.

Attached Files


  • 0

#12
JOROMO

JOROMO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Just realized you may be in Ireland (5 hours ahead of me). I wouldn't be up passed midnight responding to forum posts either (haha). I'll make an attempt to get up early tomorrow morning (12:00 your time) to make some headway on this. cheers
JM

(oddly, the install off Explorer seems to have fixed all the formatting issues in Firefox)
  • 0

#13
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Start OTScanIt. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> M-Audio Taskbar Icon -> %SystemRoot%\System32\M-AudioTaskBarIcon.exe [F:\WINDOWS\System32\M-AudioTaskBarIcon.exe]
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YY -> {38E4618F-E3E4-42E9-925F-6B02C798BD94} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\cndr32a.dll [FLW Viewer]
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YN -> ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
YN -> msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
[Files/Folders - Created Within 90 days]
NY -> 1 F:\WINDOWS\System32\*.tmp files -> F:\WINDOWS\System32\*.tmp
NY -> 4 F:\WINDOWS\*.tmp files -> F:\WINDOWS\*.tmp
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> FixIEDef.exe -> %UserProfile%\Desktop\FixIEDef.exe
[Extra Files]
Purity
[Empty Temp Folders]
[Start Explorer]
[Reboot]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.



Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#14
JOROMO

JOROMO

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here's the logs from the pasted fix. The scan simply prompted a "files won't be removed until you reboot" which i did. No "Notepad" logs popped up so I hope these are the correct ones as I found them in the "Moved Files" Folder. The virus popup appears to be cured! Below them is the Kaspersky Read Out.

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\M-Audio Taskbar Icon deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38E4618F-E3E4-42E9-925F-6B02C798BD94}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38E4618F-E3E4-42E9-925F-6B02C798BD94}\ deleted successfully.
F:\WINDOWS\cndr32a.dll unregistered successfully.
File move failed. F:\WINDOWS\cndr32a.dll scheduled to be moved on reboot.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ deleted successfully.
[Files/Folders - Created Within 90 days]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
F:\Documents and Settings\Jonathan Moore\Desktop\FixIEDef.exe moved successfully.
[Extra Files]
< Purity >
[Empty Temp Folders]
File delete failed. F:\Documents and Settings\Jonathan Moore\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.9.0 fix logfile created on 04102008_174205

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\M-Audio Taskbar Icon not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{38E4618F-E3E4-42E9-925F-6B02C798BD94}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{38E4618F-E3E4-42E9-925F-6B02C798BD94}\ not found.
F:\WINDOWS\cndr32a.dll unregistered successfully.
F:\WINDOWS\cndr32a.dll moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ipp\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\msdaipp\ not found.
[Files/Folders - Created Within 90 days]
[Files Created - Additional Folder Scans - Non-Microsoft Only]
File F:\Documents and Settings\Jonathan Moore\Desktop\FixIEDef.exe not found!
[Extra Files]
< Purity >
[Empty Temp Folders]
File delete failed. F:\Documents and Settings\Jonathan Moore\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User temp folders emptied.
SystemRoot temp folder emptied.
IE temp folders emptied
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.9.0 fix logfile created on 04102008_174315


Kaspersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, April 10, 2008 7:59:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/04/2008
Kaspersky Anti-Virus database records: 696397
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 128397
Number of viruses found: 5
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 01:21:53

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\Deckard\System Scanner\20080406233509\backup\DOCUME~1\JONATH~1\LOCALS~1\Temp\A88-tmpaoi.exe Infected: Trojan-Downloader.Win32.Peregar.w skipped
F:\Deckard\System Scanner\20080406233509\backup\DOCUME~1\JONATH~1\LOCALS~1\Temp\A8A-tmpaoi.exe Infected: Trojan-Downloader.Win32.Peregar.w skipped
F:\Deckard\System Scanner\20080406233509\backup\DOCUME~1\JONATH~1\LOCALS~1\Temp\hcdqj82y.exe Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-10_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\0A858BC7.TMP Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\9EA241B0.TMP Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
F:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Desktop\OTScanIt\MovedFiles\04102008_174315\WINDOWS\cndr32a.dll Infected: Trojan-Downloader.Win32.Peregar.v skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\dbc2e.ht1 Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\dbdam Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\dbdao Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\dbeam Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\dbeao Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\dbm Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\dbu2d.ht1 Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\dbvm.cf1 Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1 Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\fii.cf1 Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\fiih.ht1 Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\rpm.cf1 Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Google\Google Desktop Search\rpmh.ht1 Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Jonathan Moore\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\Jonathan Moore\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\Jonathan Moore\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
F:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
F:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
F:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
F:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
F:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
F:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
F:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
F:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{2BFCCAB7-3601-4A69-A2C2-297B96260227}\RP72\A0021700.exe Infected: not-a-virus:FraudTool.Win32.IeDefender.cf skipped
F:\System Volume Information\_restore{2BFCCAB7-3601-4A69-A2C2-297B96260227}\RP73\A0021712.exe Infected: Trojan-Downloader.Win32.Delf.gji skipped
F:\System Volume Information\_restore{2BFCCAB7-3601-4A69-A2C2-297B96260227}\RP73\A0021713.exe/data0008 Infected: not-a-virus:FraudTool.Win32.IeDefender.cf skipped
F:\System Volume Information\_restore{2BFCCAB7-3601-4A69-A2C2-297B96260227}\RP73\A0021713.exe NSIS: infected - 1 skipped
F:\System Volume Information\_restore{2BFCCAB7-3601-4A69-A2C2-297B96260227}\RP73\A0021716.exe/data0008 Infected: not-a-virus:FraudTool.Win32.IeDefender.cf skipped
F:\System Volume Information\_restore{2BFCCAB7-3601-4A69-A2C2-297B96260227}\RP73\A0021716.exe NSIS: infected - 1 skipped
F:\System Volume Information\_restore{2BFCCAB7-3601-4A69-A2C2-297B96260227}\RP73\A0023016.exe Infected: not-a-virus:FraudTool.Win32.IeDefender.cf skipped
F:\System Volume Information\_restore{2BFCCAB7-3601-4A69-A2C2-297B96260227}\RP73\A0023031.exe Infected: not-a-virus:AdTool.Win32.Zango.s skipped
F:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
F:\WINDOWS\RTacDbg.txt Object is locked skipped
F:\WINDOWS\SchedLgU.Txt Object is locked skipped
F:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
F:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
F:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\default Object is locked skipped
F:\WINDOWS\system32\config\default.LOG Object is locked skipped
F:\WINDOWS\system32\config\Internet.evt Object is locked skipped
F:\WINDOWS\system32\config\SAM Object is locked skipped
F:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
F:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\SECURITY Object is locked skipped
F:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
F:\WINDOWS\system32\config\software Object is locked skipped
F:\WINDOWS\system32\config\software.LOG Object is locked skipped
F:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
F:\WINDOWS\system32\config\system Object is locked skipped
F:\WINDOWS\system32\config\system.LOG Object is locked skipped
F:\WINDOWS\system32\h323log.txt Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
F:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
F:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#15
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

  • Make sure you have an Internet Connection.
  • Double-click OTScanIt.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to rech the Internet, please allow the application to do so.
  • Click Yes to beging the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.


Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP