Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

AURORA popup creating havoc[CLOSED]

Started by tapya , May 04 2005 11:07 PM

  • This topic is locked This topic is locked

#1
tapya
Posted 04 May 2005 - 11:07 PM

tapya

    New Member

  • Member
  • Pip
  • 7 posts
Please help with AURORA popup and other malware if present.

I followed all the rules before posting this HJT log.
My HJT folder is in C:
For eg. C:\HJT\HJT.exe

Log is as follows.

Logfile of HijackThis v1.99.1
Scan saved at 9:53:20 PM, on 5/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
C:\winnt\system32\spool\printers\FireDaemon.exe
c:\WINNT\system32\spool\printers\winmgnt.exe
C:\NOKIAMGR\System32\GCSServer.exe
C:\NOKIAMGR\System32\gcssync.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\cnvfat33.exe
C:\WINNT\System32\rmpplv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.attws.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Shockwave] c:\SOURCE\Macromed\Shockwave.wsf
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Player Address] C:\WINNT\System32\slbitvdm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\System32\winupdt.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINNT\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [hbsc] C:\WINNT\System32\lmqwuim\hbsc.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINNT\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINNT\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [265b49e8e0c6] C:\WINNT\System32\cnvfat33.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\rmpplv.exe
O4 - HKCU\..\Run: [ho7mRRH7T] cha8thk.exe
O4 - HKCU\..\Run: [dmrbit] C:\WINNT\System32\dmrbit.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: T-Mobile USA VPN Client.lnk = C:\Program Files\T-Mobile USA\VPN Client\vpngui.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.attws.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia...ll/pcs_0012.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114999724148
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\Software\..\Telephony: DomainName = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O21 - SSODL: Themes Address - {6101B3DF-0404-48F7-8D5C-82E0C3916323} - C:\WINNT\System32\msvfuery.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
O23 - Service: FireDaemon Service: dll32 (dll32) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: FireDaemon Service: events (events) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: Nokia GCS (GCSR4) - Nokia - C:\NOKIAMGR\System32\GCSServer.exe
O23 - Service: Nokia GCS Sync (GCSSYNC) - Nokia - C:\NOKIAMGR\System32\gcssync.exe
O23 - Service: hbsclmqwuim - Unknown owner - C:\WINNT\System32\lmqwuim\hbsc.exe (file missing)
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements

#2
Guest_thatman_*
Posted 06 May 2005 - 12:38 PM

Guest_thatman_*
  • Guest
Hi tapya

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Lets see if this will finds any hidden Trojan’s http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
when first run the program will auto-update, Run ewido now

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
c:\WINNT\system32\spool\printers\winmgnt.exe
C:\WINNT\System32\cnvfat33.exe
C:\WINNT\System32\rmpplv.exe
Exit the Task Manager when finished.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [Shockwave] c:\SOURCE\Macromed\Shockwave.wsf
O4 - HKLM\..\Run: [Player Address] C:\WINNT\System32\slbitvdm.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\System32\winupdt.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINNT\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [hbsc] C:\WINNT\System32\lmqwuim\hbsc.exe
O4 - HKLM\..\Run: [Uninstall_TBPS] C:\WINNT\Temp\TBuninst.exe /remove
O4 - HKLM\..\Run: [Uninstall_WinTools] C:\WINNT\Temp\WTuninst.exe /remove
O4 - HKLM\..\Run: [265b49e8e0c6] C:\WINNT\System32\cnvfat33.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\rmpplv.exe
O4 - HKCU\..\Run: [ho7mRRH7T] cha8thk.exe
O4 - HKCU\..\Run: [dmrbit] C:\WINNT\System32\dmrbit.exe
O16 - DPF: {2F5B39C5-C6F5-447A-A946-48B382C53985} - http://www.pacimedia...ll/pcs_0012.exe
O21 - SSODL: Themes Address - {6101B3DF-0404-48F7-8D5C-82E0C3916323} - C:\WINNT\System32\msvfuery.dll
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
c:\WINNT\system32\spool\printers\winmgnt.exe
C:\WINNT\System32\cnvfat33.exe
C:\WINNT\System32\rmpplv.exe
c:\SOURCE\Macromed\Shockwave.wsf
C:\WINNT\System32\slbitvdm.exe
C:\WINNT\System32\winupdt.exe
C:\WINNT\cfgmgr51.dll
C:\WINNT\System32\lmqwuim\hbsc.exe
C:\WINNT\Temp\TBuninst.exe /remove
C:\WINNT\Temp\WTuninst.exe /remove
cha8thk.exe
C:\WINNT\System32\dmrbit.exe
C:\WINNT\System32\msvfuery.dll

Exit Explorer.Reboot as normal.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.


Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#3
tapya
Posted 07 May 2005 - 03:02 AM

tapya

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi thatman,

Thanks for the reply. I did as instructed.
Attached is the panda scan log follwed by latest HJT scan.


Incident Status Location

Adware:Adware/nCase No disinfected C:\DOCUME~1\Rakesh\LOCALS~1\Temp\180sainstaller.exe
Adware:Adware/KeenValue No disinfected C:\WINNT\System32\drivers\etc\hosts.bho
Adware:Adware/PortalScan No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\DOCUME~1\Rakesh\LOCALS~1\Temp\bs*.tmpbsx32
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\System32\InnerVBInstall.log
Adware:Adware/IEDriver No disinfected C:\WINNT\System32\Searchx.htm
Adware:Adware/ILookup No disinfected C:\Documents and Settings\Rakesh\Favorites\Gambling
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Rakesh\Favorites\Casino & Carrers
Spyware:Spyware/Whazit No disinfected C:\WINNT\System32\fiz1
Spyware:Spyware/SurfSideKick No disinfected C:\DOCUME~1\Rakesh\LOCALS~1\Temp\SskUpdater.exe
Adware:Adware/Pacimedia No disinfected Windows Registry
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINNT\System32\Free Cell Phone.ico
Adware:Adware/SearchTheWeb No disinfected C:\WINNT\System32\Cache\mswinstall.exe
Adware:Adware/IEDriver No disinfected C:\Documents and Settings\Rakesh\Favorites\Get out of Debt!.url
Adware:Adware/nCase No disinfected C:\Documents and Settings\Rakesh\Local Settings\Temp\180sainstaller.exe
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Rakesh\Local Settings\Temp\SskUpdater.exe
Possible Virus. No disinfected C:\Documents and Settings\Rakesh\Local Settings\Temp\tempun.exe
Virus:Trj/Downloader.CML Disinfected C:\Documents and Settings\Rakesh\Local Settings\Temporary Internet Files\Content.IE5\4BJBYOX1\winupdate55380574[1].exe
Adware:Adware/SAHAgent No disinfected C:\WINNT\inf\biK.inf
Spyware:Spyware/UrlSpy No disinfected C:\WINNT\system32\bitsprx3.exe
Virus:Trj/Multidropper.AFQ Disinfected C:\WINNT\system32\c58bKs.dll
Adware:Adware/PortalScan No disinfected C:\WINNT\system32\Cache\InstallAPS.exe
Adware:Adware/SearchTheWeb No disinfected C:\WINNT\system32\Cache\mswinstall.exe
Spyware:Spyware/UrlSpy No disinfected C:\WINNT\system32\cmpbk321.exe
Adware:Adware/KeenValue No disinfected C:\WINNT\system32\drivers\etc\hosts.bho
Spyware:Spyware/Whazit No disinfected C:\WINNT\system32\fiz1
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINNT\system32\Free Cell Phone.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINNT\system32\Free LapTop Computer.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINNT\system32\Free Ringtones!.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINNT\system32\Free Sony Playstation.ico
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINNT\system32\Free U2 iPod.ico
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\INNERADINSTALL.LOG
Adware:Adware/VirtualBouncer No disinfected C:\WINNT\system32\INNERVBINSTALL.LOG
Spyware:Spyware/Whazit No disinfected C:\WINNT\system32\kyf.dat
Adware:Adware/AlwaysupdatednewsNo disinfected C:\WINNT\system32\NBA Giveaway.ico
Adware:Adware/IEDriver No disinfected C:\WINNT\system32\Searchx.htm
Adware:Adware/PortalScan No disinfected C:\WINNT\system32\winupdt.008
Adware:Adware/PortalScan No disinfected C:\WINNT\system32\winupdt.bin



****************************************************


Logfile of HijackThis v1.99.1
Scan saved at 1:56:18 AM, on 5/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\NOKIAMGR\System32\GCSServer.exe
C:\NOKIAMGR\System32\gcssync.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\Searchx.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.attws.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: T-Mobile USA VPN Client.lnk = C:\Program Files\T-Mobile USA\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.attws.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114999724148
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\Software\..\Telephony: DomainName = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
O23 - Service: FireDaemon Service: dll32 (dll32) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: FireDaemon Service: events (events) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Nokia GCS (GCSR4) - Nokia - C:\NOKIAMGR\System32\GCSServer.exe
O23 - Service: Nokia GCS Sync (GCSSYNC) - Nokia - C:\NOKIAMGR\System32\gcssync.exe
O23 - Service: hbsclmqwuim - Unknown owner - C:\WINNT\System32\lmqwuim\hbsc.exe (file missing)
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe





Please advise further.
  • 0

#4
Guest_thatman_*
Posted 07 May 2005 - 03:26 AM

Guest_thatman_*
  • Guest
Hi tapya

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Reboot when prompted to let it clean out the remaining files.

Reboot into Safe Mode: please see here if you are not sure how to do this.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\DOCUME~1\Rakesh\LOCALS~1\Temp\180sainstaller.exe
C:\WINNT\System32\drivers\etc\hosts.bho
C:\DOCUME~1\Rakesh\LOCALS~1\Temp\bs*.tmpbsx32
C:\WINNT\System32\InnerVBInstall.log
C:\WINNT\System32\Searchx.htm
C:\Documents and Settings\Rakesh\Favorites\Gambling
C:\Program Files\FwBarTemp
C:\Documents and Settings\Rakesh\Favorites\Casino & Carrers
C:\WINNT\System32\fiz1
C:\DOCUME~1\Rakesh\LOCALS~1\Temp\SskUpdater.exe
C:\WINNT\System32\Free Cell Phone.ico
C:\WINNT\System32\Cache\mswinstall.exe
C:\Documents and Settings\Rakesh\Favorites\Get out of Debt!.url
C:\Documents and Settings\Rakesh\Local Settings\Temp\180sainstaller.exe
C:\Documents and Settings\Rakesh\Local Settings\Temp\SskUpdater.exe
C:\Documents and Settings\Rakesh\Local Settings\Temp\tempun.exe
C:\WINNT\inf\biK.inf
C:\WINNT\system32\bitsprx3.exe
C:\WINNT\system32\Cache\InstallAPS.exe
C:\WINNT\system32\Cache\mswinstall.exe
C:\WINNT\system32\cmpbk321.exe
C:\WINNT\system32\drivers\etc\hosts.bho
C:\WINNT\system32\fiz1
C:\WINNT\system32\Free Cell Phone.ico
C:\WINNT\system32\Free LapTop Computer.ico
C:\WINNT\system32\Free Ringtones!.ico
C:\WINNT\system32\Free Sony Playstation.ico
C:\WINNT\system32\Free U2 iPod.ico
C:\WINNT\system32\INNERADINSTALL.LOG
C:\WINNT\system32\INNERVBINSTALL.LOG
C:\WINNT\system32\kyf.dat
C:\WINNT\system32\NBA Giveaway.ico
C:\WINNT\system32\Searchx.htm
C:\WINNT\system32\winupdt.008
C:\WINNT\system32\winupdt.bin

Reboot as normal

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and a new HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#5
tapya
Posted 08 May 2005 - 12:24 AM

tapya

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
hi thatman,

Thanks, i did the thing you asked.
Attaching the panda log follwed by HJT log.


Incident Status Location

Adware:Adware/PortalScan No disinfected Windows Registry
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/EliteBar No disinfected Windows Registry


***************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 11:06:06 PM, on 5/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\NOKIAMGR\System32\GCSServer.exe
C:\NOKIAMGR\System32\gcssync.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\Searchx.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.attws.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: T-Mobile USA VPN Client.lnk = C:\Program Files\T-Mobile USA\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.attws.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114999724148
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\Software\..\Telephony: DomainName = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
O23 - Service: FireDaemon Service: dll32 (dll32) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: FireDaemon Service: events (events) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Nokia GCS (GCSR4) - Nokia - C:\NOKIAMGR\System32\GCSServer.exe
O23 - Service: Nokia GCS Sync (GCSSYNC) - Nokia - C:\NOKIAMGR\System32\gcssync.exe
O23 - Service: hbsclmqwuim - Unknown owner - C:\WINNT\System32\lmqwuim\hbsc.exe (file missing)
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




please advise futher.
  • 0

#6
Guest_thatman_*
Posted 08 May 2005 - 03:33 AM

Guest_thatman_*
  • Guest
Hi tapya

Now we are seeing the malware hidden on your system.

Removal instructions for Adware.PortalScan
Click Start, and then click Run. (The Run dialog box appears.)

1. Type regedit Then click OK. (The Registry Editor opens.)

2. Delete the following registry subkeys if they are present:
HKEY_LOCAL_MACHINE%\SOFTWARE\slmss
HKEY_LOCAL_MACHINE%\SOFTWARE\absr
HKEY_CLASSES_ROOT%\CLSID\{3E7145B1-EA07-42CE-9299-11DF39FF54BD}
HKEY_CLASSES_ROOT%\CLSID\{34EF5B1C-52CB-400b-8B7C-F787018B3826}
HKEY_CLASSES_ROOT%\Interface\{E9D8697E-BEA9-4170-84F3-509AD2A11951}
HKEY_CLASSES_ROOT%\TypeLib\{3CD9D85E-1FF2-4BF7-A113-6669B8D1E676}
HKEY_CLASSES_ROOT%\URLLauncher.URLLauncherControl
HKEY_CLASSES_ROOT%\URLLauncher.URLLauncherControl.1
HKEY_CLASSES_ROOT%\AdRotator.Application

3. Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

4. In the right pane, delete the values:
"absr"="<path to file name>"
and
"slmss"="<path to file name>"
if they are present.
5. Exit the Registry Editor


Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\msbb*
C:\WINDOWS\Downloaded Program Files\istactivex.exe
C:\Documents and Settings\All Users\Favorites\AdultGambling.url
C:\WINDOWS\bsx32
C:\Program Files\cxtpls
C:\Program Files\Common Files\WinTools
C:\Program Files\AdDestroyer
C:\Documents and Settings\All Users\Application Data\VBouncer
C:\eied_s7.cab
C:\WINDOWS\System32\246765-ventura-hot.exe
C:\WINDOWS\io2uns.exe
C:\Program Files\FwBarTemp
C:\WINDOWS\wt
C:\WINDOWS\nail.exe
C:\Documents and Settings\All Users\Favorites\AdultGambling.url
C:\Documents and Settings\All Users\Favorites\Free Online Dating.url
C:\Documents and Settings\All Users\Favorites\[bleep] Real Girls.url
C:\Documents and Settings\All Users\Favorites\Online Sex Poker Rooms.url
C:\Documents and Settings\All Users\Favorites\Play Adult-Poker.url
C:\Documents and Settings\All Users\Favorites\Remove Toolbars.url
C:\Documents and Settings\All Users\Favorites\Spyware Uninstall.url
C:\Documents and Settings\All Users\Favorites\XXX personal photos.url
Adware:Adware/MediaTickets No disinfected C:\eied_s7.cab[eied.inf]
C:\RECYCLER\S-1-5-21-1097220513-1730271511-700863191-1003\Dc1.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\istactivex.inf
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\istactivex.inf
C:\WINDOWS\io2uns.exe
C:\WINDOWS\msbb.log
C:\WINDOWS\msbbau.dat
C:\WINDOWS\msbb_kyf.dat
C:\WINDOWS\system32\246765-ventura-hot.exe
C:\WINDOWS\system32\cxtpls_loader.exe

Reboot into normal mode.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#7
tapya
Posted 09 May 2005 - 12:51 AM

tapya

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Thatman,

i couldnt find any of the registry items you asked me to delete in regedit. However i did the killbox items. I manually deleted "C:\Program Files\FwBarTemp" after the panada scan run.

Attached are the panadscan log follwed by HJT log.

Incident Status Location

Adware:Adware/PortalScan No disinfected Windows Registry
Adware:Adware/Fizzle No disinfected C:\Program Files\FwBarTemp
Adware:Adware/EliteBar No disinfected Windows Registry

*************************************************************


Logfile of HijackThis v1.99.1
Scan saved at 11:44:10 PM, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\NOKIAMGR\System32\GCSServer.exe
C:\NOKIAMGR\System32\gcssync.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\Searchx.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.attws.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: T-Mobile USA VPN Client.lnk = C:\Program Files\T-Mobile USA\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.attws.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114999724148
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\Software\..\Telephony: DomainName = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
O23 - Service: FireDaemon Service: dll32 (dll32) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: FireDaemon Service: events (events) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Nokia GCS (GCSR4) - Nokia - C:\NOKIAMGR\System32\GCSServer.exe
O23 - Service: Nokia GCS Sync (GCSSYNC) - Nokia - C:\NOKIAMGR\System32\gcssync.exe
O23 - Service: hbsclmqwuim - Unknown owner - C:\WINNT\System32\lmqwuim\hbsc.exe (file missing)
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Thanks.
Taps
  • 0

#8
Guest_thatman_*
Posted 09 May 2005 - 01:31 AM

Guest_thatman_*
  • Guest
Hi tapya

Please read through the instructions before you start (you may want to print this out).

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
hbsclmqwuim
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet, though.
Run CWShredder to fix your CWS problem.

Please set your system to show all files; please see here if you're unsure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\Searchx.htm
O23 - Service: hbsclmqwuim - Unknown owner - C:\WINNT\System32\lmqwuim\hbsc.exe (file missing)
Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:
C:\WINNT\System32\lmqwuim\<--Delete the whole folder.
Exit Explorer.

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\WINNT\System32\Searchx.htm

Reboot as normal.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#9
tapya
Posted 14 May 2005 - 05:18 PM

tapya

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi thatman,

sorry for thr delay. I was also somehow not able to connect to the forums yesterday.

I did the steps mentioned by you. while running the CWshredder, i got an message to regarding c:\winnt\aaRemove.exe. I did not ask cwshreder to delete that file as i was not sure.

posting the panadlog follwedby HJT.


Incident Status Location

Adware:Adware/PortalScan No disinfected Windows Registry


********************************************************************


Logfile of HijackThis v1.99.1
Scan saved at 11:44:10 PM, on 5/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\NOKIAMGR\System32\GCSServer.exe
C:\NOKIAMGR\System32\gcssync.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\Searchx.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.attws.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: T-Mobile USA VPN Client.lnk = C:\Program Files\T-Mobile USA\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.attws.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114999724148
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\Software\..\Telephony: DomainName = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
O23 - Service: FireDaemon Service: dll32 (dll32) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: FireDaemon Service: events (events) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Nokia GCS (GCSR4) - Nokia - C:\NOKIAMGR\System32\GCSServer.exe
O23 - Service: Nokia GCS Sync (GCSSYNC) - Nokia - C:\NOKIAMGR\System32\gcssync.exe
O23 - Service: hbsclmqwuim - Unknown owner - C:\WINNT\System32\lmqwuim\hbsc.exe (file missing)
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




Please advise further.

Thanks,

Taps
  • 0

#10
tapya
Posted 14 May 2005 - 05:28 PM

tapya

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
sorry wrong HJT log.

here is the one from yesterday.

Logfile of HijackThis v1.99.1
Scan saved at 12:24:23 AM, on 5/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\NOKIAMGR\System32\GCSServer.exe
C:\NOKIAMGR\System32\gcssync.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\System32\msiexec.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.attws.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: T-Mobile USA VPN Client.lnk = C:\Program Files\T-Mobile USA\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program files\bulletproofsoft.com\bps spyware & adware remover\apptoport.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.attws.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114999724148
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} - http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\Software\..\Telephony: DomainName = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = wireless.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = wireless.attws.com,attws.com,entp.attws.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
O23 - Service: FireDaemon Service: dll32 (dll32) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: FireDaemon Service: events (events) - Sublime Solutions Pty Ltd - C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Nokia GCS (GCSR4) - Nokia - C:\NOKIAMGR\System32\GCSServer.exe
O23 - Service: Nokia GCS Sync (GCSSYNC) - Nokia - C:\NOKIAMGR\System32\gcssync.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


hope this helps.

taps.
  • 0

#11
Guest_thatman_*
Posted 15 May 2005 - 04:01 AM

Guest_thatman_*
  • Guest
Hi tapya

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Reboot into Safe Mode: Click here if you don't know how to do this.

Run Ad-aware se let it clean what ever it finds

Run ewido

Run cleanup

Reboot as normal.

Please run the following free, online virus scans.
http://www.ravantivirus.com/scan/
http://www.bitdefend...can/licence.php
Please post the logs From the virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#12
tapya
Posted 15 May 2005 - 11:41 PM

tapya

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
hi Thatman,

i did the things, but i cannot seem to get rid of that one spyware panda scan finds.

here are the logs, pandascan, hjt, rav, bitdefender. Please advise futher.

Incident Status Location

Adware:Adware/PortalScan No disinfected Windows Registry

****************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 10:35:47 PM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\T-Mobile USA\VPN Client\cvpnd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\NOKIAMGR\System32\GCSServer.exe
C:\NOKIAMGR\System32\gcssync.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\Network Associates\Common

Framework\FrameworkService.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\System32\CCM\CcmExec.exe
C:\WINNT\System32\hkcmd.exe
C:\Program Files\Network Associates\Common

Framework\UpdaterUI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL = http://intranet.attws.com
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

(no file)
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network

Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program

Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network

Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common

Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN

Messenger\msnmsgr.exe" /background
O4 - Global Startup: InterVideo WinCinema Manager.lnk =

C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program

Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: T-Mobile USA VPN Client.lnk = C:\Program

Files\T-Mobile USA\VPN Client\vpngui.exe
O8 - Extra context menu item: &Google Search - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word -

res://C:\Program Files\Google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page -

res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program

Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English -

res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'c:\program

files\bulletproofsoft.com\bps spyware & adware

remover\apptoport.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\PLUGINS\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://intranet.attws.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall

Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data

Collection Control) -

https://support.micr...ActiveX/odc.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

http://a1540.g.akama...tall.info.apple

.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://v5.windowsupd...5Controls/en/x8

6/client/wuweb_site.cab?1114999724148
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall

Control) -

http://a840.g.akamai...ecall.trendmicr

o.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline

Control) - http://www.bitdefend...bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) -

http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline

Object) - http://www.ravantivi...n/ravonline.cab
O16 - DPF: {B4831DED-3A57-4CC6-9E4B-0E7C5B08DBF4} -

http://www.alwaysupd...ll/aun_0032.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -

http://us.dl1.yimg.c...lls/suite/yauto

complete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain =

wireless.attws.com
O17 - HKLM\Software\..\Telephony: DomainName = wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

wireless.attws.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =

wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain =

wireless.attws.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =

wireless.attws.com,attws.com,entp.attws.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =

wireless.attws.com,attws.com,entp.attws.com
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco

Systems, Inc. - C:\Program Files\T-Mobile USA\VPN

Client\cvpnd.exe
O23 - Service: FireDaemon Service: dll32 (dll32) - Sublime

Solutions Pty Ltd -

C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: FireDaemon Service: events (events) - Sublime

Solutions Pty Ltd -

C:\winnt\system32\spool\printers\FireDaemon.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -

C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Nokia GCS (GCSR4) - Nokia -

C:\NOKIAMGR\System32\GCSServer.exe
O23 - Service: Nokia GCS Sync (GCSSYNC) - Nokia -

C:\NOKIAMGR\System32\gcssync.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner -

C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) -

Network Associates, Inc. - C:\Program Files\Network

Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network

Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) -

Network Associates, Inc. - C:\Program Files\Network

Associates\VirusScan\VsTskMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service

(NPFMntor) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\IWP\NPFMntor.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner -

c:\oracle\ora81\BIN\ONRSD.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program

Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -

Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe


************************************************************

Scan started at 5/15/2005 1:35:30 PM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\Rakesh\Application Data\Yahoo!\Mail\attach\xdcc_4.11.zip->searchengines.mrc - IRC/Generic* -> Suspicious
C:\Documents and Settings\Rakesh\Application Data\Yahoo!\Mail\attach\xdcc_4.11[0].zip->searchengines.mrc - IRC/Generic* -> Suspicious
C:\Program Files\mIRC\searchengines.mrc - IRC/Generic* -> Suspicious

Scanned
============================
Objects: 40209
Directories: 4675
Archives: 8483
Size(Kb): -914176
Infected files: 0

Found
============================
Viruses found: 0
Suspicious files: 3
Disinfected files: 0
Mail files: 382

*****************************************************************

C:\Obinst\rem_old.bat: suspect BAT.Delete
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>arrow2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bck2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt11.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt12.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt13.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt21.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt22.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt23.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt31.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt32.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt33.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt41.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt42.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt43.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt51.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt52.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt53.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt61.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>bt62.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>checkbox4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>default.skn: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>defbtn3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph2.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph3.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph4.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph5.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph6.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>glyph7.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>main.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>preview.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>sprite1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab1.bmp: password protected
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask=>tab2.bmp: password protected
C:\Program Files\Norton AntiVirus\Quarantine\006859D3.exe=>(Quarantine-2): infected with Win32.Agent.NN
C:\Program Files\Norton AntiVirus\Quarantine\09C34AF7.exe=>(Quarantine-2): infected with BehavesLike:Win32.ExplorerHijack
C:\Program Files\Norton AntiVirus\Quarantine\0BF815D2.exe=>(Quarantine-2): infected with BehavesLike:Win32.ExplorerHijack
C:\Program Files\Norton AntiVirus\Quarantine\12763C27.exe=>(Quarantine-2): infected with Trojan.Downloader.Agent.JQ
C:\Program Files\Norton AntiVirus\Quarantine\279C28E1.exe=>(Quarantine-2): infected with Adware.POP.dl
C:\Program Files\Norton AntiVirus\Quarantine\279F52DE.IE5=>(Quarantine-2): infected with Trojan.Downloader.Agent.LG
C:\Program Files\Norton AntiVirus\Quarantine\27AF24CC.exe=>(Quarantine-2): infected with Trojan.Downloader.Qoologic.L
C:\Program Files\Norton AntiVirus\Quarantine\27B922C1.exe=>(Quarantine-2): infected with Trojan.Downloader.Adload.A
C:\Program Files\Norton AntiVirus\Quarantine\27C076BA.exe=>(Quarantine-2): infected with BehavesLike:Win32.ExplorerHijack
C:\Program Files\Norton AntiVirus\Quarantine\27C64AB2.dat=>(Quarantine-2): infected with Trojan.Downloader.Qoologic.L
C:\Program Files\Norton AntiVirus\Quarantine\27CA74AF.exe=>(Quarantine-2): infected with Trojan.Downloader.VB.EU
C:\Program Files\Norton AntiVirus\Quarantine\27DA469D.exe=>(Quarantine-2): infected with BehavesLike:Win32.ExplorerHijack
C:\Program Files\Norton AntiVirus\Quarantine\27DD7099.cpl=>(Quarantine-2): infected with Trojan.Dropper.Small.WC
C:\Program Files\Norton AntiVirus\Quarantine\27DD7099.ocx=>(Quarantine-2): infected with Trojan.Downloader.Agent.EX
C:\Program Files\Norton AntiVirus\Quarantine\2F0F3FD5.exe=>(Quarantine-2): infected with Trojan.Downloader.Agent.LG
C:\Program Files\Norton AntiVirus\Quarantine\3A1F59A6.exe=>(Quarantine-2): infected with Trojan.Downloader.Qoologic.L
C:\Program Files\Norton AntiVirus\Quarantine\3A28579B.dat=>(Quarantine-2): infected with Trojan.Downloader.Qoologic.L
C:\Program Files\Norton AntiVirus\Quarantine\3A28579B.exe=>(Quarantine-2): infected with Trojan.Betterinternet.W
C:\Program Files\Norton AntiVirus\Quarantine\3A2F2B94.exe=>(Quarantine-2): infected with Trojan.Downloader.Agent.LG
C:\Program Files\Norton AntiVirus\Quarantine\3A9F7BD4.exe=>(Quarantine-2): infected with Trojan.Downloader.Adload.A
C:\Program Files\Norton AntiVirus\Quarantine\542A664C.exe=>(Quarantine-2): infected with Trojan.Hpt.J
C:\Program Files\Norton AntiVirus\Quarantine\5D502FD0.EXE=>(Quarantine-2): infected with Trojan.Dropper.SurfSide.A
C:\Program Files\Norton AntiVirus\Quarantine\5FE41444.exe=>(Quarantine-2): infected with Dropped:Trojan.Downloader.Small.ABD
C:\Program Files\Norton AntiVirus\Quarantine\72B51FC7.exe=>(Quarantine-2): infected with Trojan.Downloader.Adload.A
C:\Program Files\Norton AntiVirus\Quarantine\747127CD.exe=>(Quarantine-2): infected with Dropped:Application.ProcKill.Jk
C:\Program Files\Norton AntiVirus\Quarantine\78AC6CC1.exe=>(Quarantine-2): infected with Virtool.HiddenRun.B
C:\Program Files\Norton AntiVirus\Quarantine\78ED65C3.exe=>(Quarantine-2): infected with Trojan.Downloader.Adload.A
C:\Program Files\Norton AntiVirus\Quarantine\79086740.exe=>(Quarantine-2): infected with Trojan.Downloader.Qoologic.I
C:\Program Files\Norton AntiVirus\Quarantine\790B113D.exe=>(Quarantine-2): infected with Trojan.StartPage.NK
C:\Program Files\Norton AntiVirus\Quarantine\790E3B39.exe=>(Quarantine-2): infected with BehavesLike:Win32.ExplorerHijack
C:\Program Files\Norton AntiVirus\Quarantine\79150F32.dll=>(Quarantine-2): infected with Trojan.Downloader.Qoologic.I
C:\Program Files\Norton AntiVirus\Quarantine\7918392E.dat=>(Quarantine-2): infected with Trojan.Downloader.Qoologic.L
C:\Program Files\Norton AntiVirus\Quarantine\7E320EF9.exe=>(Quarantine-2): infected with Trojan.Downloader.Qoologic.I
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>_inst32i.ex_: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>setup.lid: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>setup.ins: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>Setup.ini: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>Setup.exe: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>setup.bmp: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>os.dat: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>layout.bin: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>lang.dat: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>data1.hdr: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>data1.cab: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>Data.tag: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>_user1.hdr: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>_user1.cab: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>_sys1.hdr: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>_sys1.cab: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>_Setup.dll: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>_ISDel.exe: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 1.0.zip=>vssver.scc: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 2.0\PSMMan+2_0_00+[1+of+2].zip=>data1.cab: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 2.0\PSMMan+2_0_00+[1+of+2].zip=>data1.hdr: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 2.0\PSMMan+2_0_00+[1+of+2].zip=>data2.cab: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 2.0\PSMMan+2_0_00+[1+of+2].zip=>ikernel.ex_: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 2.0\PSMMan+2_0_00+[1+of+2].zip=>layout.bin: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 2.0\PSMMan+2_0_00+[1+of+2].zip=>setup.bmp: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 2.0\PSMMan+2_0_00+[1+of+2].zip=>Setup.exe: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 2.0\PSMMan+2_0_00+[1+of+2].zip=>Setup.ini: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 2.0\PSMMan+2_0_00+[1+of+2].zip=>setup.inx: password protected
C:\Rakesh\burn\BTS-Nokia-Operation\Nokia\Nokia Software\PSM Manager\PSM Manager 2.0\PSMMan+2_0_00+[1+of+2].zip=>vssver.scc: password protected
C:\System Volume Information\_restore{EC198C9B-8BC5-41A3-8DC3-11FC9CB4E672}\RP436\A0156999.exe: infected with Trojan.Downloader.Qoologic.I
C:\System Volume Information\_restore{EC198C9B-8BC5-41A3-8DC3-11FC9CB4E672}\RP436\A0157000.exe: infected with Trojan.Downloader.Qoologic.I
C:\System Volume Information\_restore{EC198C9B-8BC5-41A3-8DC3-11FC9CB4E672}\RP436\A0157001.exe: infected with Trojan.StartPage.NK
C:\System Volume Information\_restore{EC198C9B-8BC5-41A3-8DC3-11FC9CB4E672}\RP436\A0157002.exe: infected with BehavesLike:Win32.ExplorerHijack
C:\System Volume Information\_restore{EC198C9B-8BC5-41A3-8DC3-11FC9CB4E672}\RP436\A0157003.exe: infected with BehavesLike:Win32.ExplorerHijack
C:\System Volume Information\_restore{EC198C9B-8BC5-41A3-8DC3-11FC9CB4E672}\RP436\A0157005.dll: infected with Trojan.Downloader.Qoologic.I
C:\System Volume Information\_restore{EC198C9B-8BC5-41A3-8DC3-11FC9CB4E672}\RP436\A0157009.exe: infected with Trojan.ServU.G
C:\System Volume Information\_restore{EC198C9B-8BC5-41A3-8DC3-11FC9CB4E672}\RP436\A0157018.dll: infected with Trojan.Downloader.Qoologic.I
C:\System Volume Information\_restore{EC198C9B-8BC5-41A3-8DC3-11FC9CB4E672}\RP436\A0157019.exe: infected with Trojan.Downloader.Qoologic.I
C:\System Volume Information\_restore{EC198C9B-8BC5-41A3-8DC3-11FC9CB4E672}\RP437\A0157381.exe: infected with Dropped:Trojan.Clicker.Small.EZ
C:\WINNT\system32\Cache\dist006.exe: infected with Dropped:Trojan.Downloader.VB.EU

--Taps
  • 0

#13
Guest_thatman_*
Posted 16 May 2005 - 06:06 AM

Guest_thatman_*
  • Guest
Hi tapya

Download and install EasyCleaner:
http://personal.inet...rts/ecleane.htm

After installing it check under Settings > Registry tab if the backup
option is checked and if the directory it points to exists.
This should be true by default, but check anyway.

Then click OK and click Registry
Then click Search. When it is done select all the items per color,
(most, if not all should be green) and click Remove.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Reboot when you are done and let us know how it goes.

Kc :tazz:
  • 0

#14
Guest_thatman_*
Posted 30 May 2005 - 10:02 AM

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP