Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

ABI Network [RESOLVED]


  • This topic is locked This topic is locked

#1
Richelieu

Richelieu

    New Member

  • Member
  • Pip
  • 7 posts
Hi All, I've had this ABI network spyware on this PC for a while. I followed the instructions indicated on other threads. Please find below the reports from Ewido and from HijackThis!:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 18:14:23, 8/6/2548
+ Report-Checksum: 8E07424F

+ Date of database: 8/6/2548
+ Version of scan engine: v3.0

+ Duration: 165 min
+ Scanned Files: 77686
+ Speed: 7.80 Files/Second
+ Infected files: 108
+ Removed files: 108
+ Files put in quarantine: 108
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\WINDOWS\SYSTEM32\tksrv98.exe -> TrojanDownloader.Esepor.Q -> Cleaned with backup
C:\WINDOWS\SYSTEM32\tt_reco.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\SYSTEM32\zgvexyw.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\SYSTEM32\exul.exe -> Spyware.BargainBuddy.j -> Cleaned with backup
C:\WINDOWS\SYSTEM32\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\SYSTEM32\sysupd1003.exe -> Spyware.Small.an -> Cleaned with backup
C:\WINDOWS\SYSTEM32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\satmat.exe -> TrojanDownloader.Stubby.d -> Cleaned with backup
C:\WINDOWS\UnstSA2.exe -> Spyware.Delf.r -> Cleaned with backup
C:\WINDOWS\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINDOWS\farmmext.exe -> Spyware.ConsCorr -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\asjktcwksnq.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Program Files\SideFind\sfbho.dll -> Spyware.SideFind -> Cleaned with backup
C:\Program Files\NoAdware\NoAdwareBackup\8,4,2004_10,36,39.zip/powerscan.exe -> Spyware.PowerScan.b -> Cleaned with backup
C:\Program Files\NoAdware\NoAdwareBackup\8,4,2004_10,36,39.zip/istactivex.dll -> TrojanDownloader.Istbar.Gen -> Cleaned with backup
C:\Program Files\NoAdware\NoAdwareBackup\8,4,2004_10,36,39.zip/twaintec.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\NoAdware\NoAdwareBackup\8,4,2004_10,36,39.zip/XPlugin.dll -> TrojanDownloader.Esepor.u -> Cleaned with backup
C:\Program Files\NoAdware\NoAdwareBackup\8,4,2004_10,36,39.zip/preinstt.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\NoAdware\NoAdwareBackup\8,4,2004_10,36,39.zip/powerscan.exe -> Spyware.PowerScan.b -> Cleaned with backup
C:\Program Files\NoAdware\NoAdwareBackup\8,4,2004_10,36,39.zip/novica7@counter8.sextracker[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\NoAdware\NoAdwareBackup\1,9,2005_11,34,22.zip/preinstt.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/preInsTT2.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec3.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/preInsTT5.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec6.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/preInsTT8.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec9.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/preInsTT11.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec12.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec13.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/preInsTT14.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec15.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/alchem17.exe -> TrojanDownloader.Alchemic -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/alchem18.exe -> TrojanDownloader.Alchemic -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec137.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/preInsTT138.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/alchem139.exe -> TrojanDownloader.Alchemic -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec142.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/preInsTT143.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/alchem144.exe -> TrojanDownloader.Alchemic -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec146.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/preInsTT147.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec148.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/preinstt149.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/twaintec151.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB7D.zip/preInsTT152.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/preinstt1.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/twaintec3.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/preInsTT4.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/preInsTT8.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/twaintec9.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/preInsTT13.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/twaintec14.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/preInsTT16.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/twaintec17.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/preInsTT21.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/twaintec22.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/twaintec26.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/preInsTT27.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/twaintec36.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/twaintec39.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/preInsTT40.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/twaintec42.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB11.zip/preInsTT43.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB12.zip/twaintec1.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB12.zip/preInsTT4.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB12.zip/twaintec6.dll -> Spyware.BiSpy.f -> Cleaned with backup
C:\Program Files\ScanSpyware v3.7\SSBackup\baB12.zip/preInsTT7.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@servedby.netshelter[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@www.myaffiliateprogram[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP115\A0032791.dll -> Spyware.DlMax.a -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP115\A0032805.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP115\A0032819.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP116\A0032914.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP116\A0032984.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP117\A0033983.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP117\A0033985.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP117\A0034076.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP117\A0034160.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP117\A0034208.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP117\A0034242.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP117\A0034243.exe -> TrojanDownloader.Agent.ae -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP117\A0034244.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP118\A0034509.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP118\A0035509.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP118\A0035551.EXE -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP118\A0035552.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP119\A0035753.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP119\A0035768.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP119\A0035775.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP119\A0036775.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP119\A0036797.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP120\A0036802.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP121\A0036820.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP121\A0036821.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP122\A0036879.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP122\A0036880.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP131\A0037737.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0037749.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038099.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038100.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038111.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038113.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\Recycled\NPROTECT\00024244.exe -> TrojanDownloader.Esepor.ab -> Cleaned with backup
C:\Recycled\NPROTECT\00024253.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Recycled\NPROTECT\00024316.exe -> Trojan.Agent.cp -> Cleaned with backup


::Report End

---------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 18:17:31, on 8/6/2548
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\ewido\security suite\SecuritySuite.exe
C:\Documents and Settings\novica7\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novica.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.c...v=6&aff=5172485
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*;<local>
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Coloreal Lite.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Lite\COLOREALLITE.EXE
O4 - Global Startup: Coloreal Lite.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Lite\COLOREALLITE.EXE
O4 - Global Startup: Harrap's Shorter.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: PhoenixNet - {2626e980-0453-11d7-9985-0020183ca38a} - http://www.seqdl.com...=65457&CID=9875 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.nuker.com...erInstaller.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9223BEE-9C0F-49BC-BD1D-EB837EE1650E}: Domain = domain
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9223BEE-9C0F-49BC-BD1D-EB837EE1650E}: NameServer = 203.146.0.20,203.146.0.30
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

---------------------------------------------------------

Thanks for your help!
  • 0

Advertisements


#2
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Welcome to Geeks 2 Go. Sorry about the delay in getting to your post, we have been very busy.

Do you still require help or are your problems resolved.

Please let me know and if you still require assistance, please post a fresh HJT log.

Regards,

Usetobe
  • 0

#3
Richelieu

Richelieu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for your reply.

I don't see anymore weird activities but there still seems to be infections, please find a fresh scan pasted below ... and again thanks for your help.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:35:29, 17/6/2548
+ Report-Checksum: 981A2ABF

+ Date of database: 16/6/2548
+ Version of scan engine: v3.0

+ Duration: 823 min
+ Scanned Files: 50087
+ Speed: 1.01 Files/Second
+ Infected files: 22
+ Removed files: 22
+ Files put in quarantine: 22
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\novica7\Cookies\novica7@statse.webtrendslive[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038118.exe -> TrojanDownloader.Esepor.Q -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038119.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038120.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038121.exe -> Spyware.BargainBuddy.j -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038122.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038123.exe -> Spyware.Small.an -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038124.dll -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038125.exe -> TrojanDownloader.Stubby.d -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038126.exe -> Spyware.Delf.r -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038127.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038128.exe -> Spyware.ConsCorr -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038129.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038130.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038131.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038132.dll -> Spyware.SideFind -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038133.exe -> TrojanDownloader.Esepor.ab -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038134.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP132\A0038135.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP133\A0039542.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP134\A0039626.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{5D0F0990-DE7C-4851-97E6-6669BC2D8C39}\RP134\A0039628.exe -> Trojan.Nail -> Cleaned with backup


::Report End
  • 0

#4
Guest_usetobe_*

Guest_usetobe_*
  • Guest
please post a fresh HJT log
  • 0

#5
Richelieu

Richelieu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here you go, and thanks!

- - - - -


Logfile of HijackThis v1.99.1
Scan saved at 10:43:49, on 19/6/2548
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Harrap's Multim้dia\Shorter\bin\HiHarrapsTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Lotus\Notes\NLNOTES.EXE
C:\Lotus\Notes\nwrdaemn.EXE
C:\Lotus\Notes\nupdate.EXE
C:\Lotus\Notes\nhldaemn.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\novica7\Desktop\Secure\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novica.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.c...v=6&aff=5172485
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*;<local>
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Coloreal Lite.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Lite\COLOREALLITE.EXE
O4 - Global Startup: Coloreal Lite.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Lite\COLOREALLITE.EXE
O4 - Global Startup: Harrap's Shorter.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PhoenixNet - {2626e980-0453-11d7-9985-0020183ca38a} - http://www.seqdl.com...=65457&CID=9875 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9223BEE-9C0F-49BC-BD1D-EB837EE1650E}: Domain = domain
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9223BEE-9C0F-49BC-BD1D-EB837EE1650E}: NameServer = 203.146.0.20,203.146.0.30
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi Richelieu

Here we go with your fix, There are the remnants of several infections on your system, so to make sure we get everything we shall hit them with the full fix in case parts are sneeking around hidden.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

This will likely be a few step process in removing the malware that has infected your system. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

Next we will need to download a few tools that will help us in the removal of your problems. Save all of these files somewhere you will remember like to the Desktop.

Download about:buster by RubbeRDuckY HERE
Download CWShredder Here.
Download SpSeHjfix Here.

Download a free 14 day trial of ewido from the link below. Install it and start it up. Follow the prompts to upgrade it, then close it down.

ewido

Please download Nailfix from here:
http://dknoppix.com/...oad.cgi?Nailfix
Unzip it to the desktop but please do NOT run it yet.

Please download Cleanup from here:
Cleanup. Do not run it yet.

Set PC to show hidden files (click link if you do not know how)LINK

Unzip SpSeHjfix to its own folder (ie c:\SpSeHjfix)

Run the CleanUp! installer. You dont need to do anything with it right now.

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster
Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder
Click Start > Run > and type in:

services.msc

Click OK.

In the services window find: System Startup Service (SvcProc) .
Rightclick and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK.

Exit the Services utility.

Carry out a free online virus scan from the following link. Save the log it produces to post back later.

Run this online virus scan: ActiveScan

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once in Safe Mode, please double-click on Nailfix.bat. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Please run about:buster by RubbeRDuckY:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run SpSeHjfix. A log will be saved in the same folder that you put the exe into. Please post the results of that log in your next reply.

Warning Note: On a few occasions it has been reported that after using the SPSEHjfix you cannot open Internet Explorer. To fix this, go into Control Panel >Internet Options >Programs & press reset web settings, then you can set your home page to what you want on the general tab.

Then please run Ewido, and run a full scan. This may take some time, so go grab a coffee. Once it finds the first issue tick the box for all. Post the log from the scan here for me.

Now scan with HJT and check the following entries if they are there. Some may have been removed by earlier procedures.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://best-search.c...v=6&aff=5172485
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*;<local>
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9223BEE-9C0F-49BC-BD1D-EB837EE1650E}: Domain = domain
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9223BEE-9C0F-49BC-BD1D-EB837EE1650E}: NameServer = 203.146.0.20,203.146.0.30
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


Ensure no windows open except HJT and click FIX CHECKED.

now using windows explorer locate the following files/folders and delete them if present.

C:\Program Files\WindowsSA\omniscient.exe
C:\WINDOWS\svcproc.exe


Next restart HJT and click on Misc Tools button, then select Delete an NT service

In the popup box paste the following into the box.

SvcProc then ok it

then repeat and this time paste the following in the popup box

Now run CleanUp!. Click CleanUp and allow it to delete all the temporary files.

Reboot your computer into normal windows.

Carry out another HJT scan and post the log back here, with the other logs, so we can sort out any remnants
  • 0

#7
Richelieu

Richelieu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Usetobe,

Thanks for your reply. Please find below the logs. Regarding : "Next restart HJT and click on Misc Tools button, then select Delete an NT service. In the popup box paste the following into the box. SvcProc then ok it." => It couldn't find the NT service, nor the SvcProc file. " then repeat and this time paste the following in the popup box." => You didn't indicate what was the "following."

Also regarding buster by RubbeRDuckY. When I unzipped the file, no directory was created, and when I ran it, there were no way to yes or no the "allow AboutBuster to scan for Alternate Data Streams." and "allow it to shutdown explorer.exe." so I just hit "Begin removal" and the resulting log was a bit weird.

Thanks for your help again.

- - - - -
Active Scan:


Incident Status Location

Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM32\apuc.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/WUpd No disinfected C:\WINDOWS\Downloaded Program Files\BridgeX.inf
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\inf\twaintec.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\tpziqi.exe
- - - -
Buster:


AboutBuster 5.0 reference file 30
Scan started on [20/6/2548] at [14:02:46]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 14:07:26


- - - -
Shredder:


**** Run Keys ****

RUN: [internat.exe] internat.exe
RUN: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
RUN: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
RUN: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
RUN: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
RUN: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
RUN: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe


**** Browser Helper Objects ****

BHO: [WsftpBrowserHelper Class] C:\Program Files\WS_FTP Pro\wsbho2k0.dll
BHO: [CNavExtBho Class] C:\Program Files\Norton AntiVirus\NavShExt.dll


**** IE Toolbars ****

TOOLBAR: [Norton AntiVirus] C:\Program Files\Norton AntiVirus\NavShExt.dll


**** IE Extensions ****

IEExt: [PhoenixNet] http://www.seqdl.com...=65457&CID=9875
IEExt: [Messenger] C:\Program Files\Messenger\msmsgs.exe


**** Hosts File Entries ****

HOSTS: 127.0.0.1 localhost
HOSTS: 127.0.0.1 localhost


**** IE Settings ****

IEProxy: 192.168.0.1:80
IEBypass: *hot-searches.com*;*lender-search.com*;<local>
Default Page: http://www.microsoft...er=6&ar=msnhome
Default Search: http://www.microsoft...=ie&ar=iesearch
Local Page: C:\WINDOWS\system32\blank.htm
Search Page: http://www.microsoft...=ie&ar=iesearch


**** IE Context Menu (Right click) ****



**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD nwlnkipx [IPX]
LSP: MSAFD nwlnkspx [SPX]
LSP: MSAFD nwlnkspx [SPX] [Pseudo Stream]
LSP: MSAFD nwlnkspx [SPX II]
LSP: MSAFD nwlnkspx [SPX II] [Pseudo Stream]
LSP: MSAFD NetBIOS [\Device\NwlnkNb] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NwlnkNb] DATAGRAM 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9223BEE-9C0F-49BC-BD1D-EB837EE1650E}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A9223BEE-9C0F-49BC-BD1D-EB837EE1650E}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B0DED66E-42C6-4466-8E3C-4A2EEBE2F2B3}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{B0DED66E-42C6-4466-8E3C-4A2EEBE2F2B3}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF4AE732-6271-445F-A47F-86B26418AFF7}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{EF4AE732-6271-445F-A47F-86B26418AFF7}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{923BE85C-1276-49D2-B6E0-51DCCF03647F}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{923BE85C-1276-49D2-B6E0-51DCCF03647F}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1A8D3815-E89D-47E5-BFE4-DDBF671CDAF7}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1A8D3815-E89D-47E5-BFE4-DDBF671CDAF7}] DATAGRAM 4


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No
BLOCKED: [snd.cpl] no
BLOCKED: [joystick.cpl] no
BLOCKED: [midimap.drv] no


**** Downloaded Program Files ****

DirectAnimation Java Classes [file://C:\WINDOWS\SYSTEM\dajava.cab]
Internet Explorer Classes for Java [file://C:\WINDOWS\SYSTEM\iejava.cab]
Microsoft XML Parser for Java [file://C:\WINDOWS\Java\classes\xmldso.cab]
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} [http://www.pandasoft...as5/asinst.cab] C:\WINDOWS\Downloaded Program Files\asinst.dll
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://fpdownload.ma...sh/swflash.cab]


**** Windows Services ****

[Alerter] %SystemRoot%\system32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[BITS] %SystemRoot%\system32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\system32\svchost.exe -k netsvcs
[ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
[ccPwdSvc] "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"
[cisvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[DcomLaunch] %SystemRoot%\system32\svchost -k DcomLaunch
[Dhcp] %SystemRoot%\system32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\system32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\system32\svchost.exe -k netsvcs
[ewido security suite control] C:\Program Files\ewido\security suite\ewidoctrl.exe
[ewido security suite guard] C:\Program Files\ewido\security suite\ewidoguard.exe
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[HTTPFilter] %SystemRoot%\System32\svchost.exe -k HTTPFilter
[ImapiService] C:\WINDOWS\system32\imapi.exe
[lanmanserver] %SystemRoot%\system32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\system32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\system32\svchost.exe -k LocalService
[Messenger] %SystemRoot%\system32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\system32\msiexec.exe /V
[navapsvc] "C:\Program Files\Norton AntiVirus\navapsvc.exe"
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\system32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\system32\svchost.exe -k netsvcs
[NProtectService] "C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE"
[NtLmSsp] %SystemRoot%\system32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\system32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\system32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\system32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\svchost.exe -k LocalService
[RpcLocator] %SystemRoot%\system32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\system32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SBService] C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\system32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\system32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\system32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\system32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\system32\dllhost.exe /Processid:{531A04EB-7E0F-4C4E-AE6D-CFAB52E42F3B}
[SymWSC] C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost -k DComLaunch
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] C:\WINDOWS\System32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\system32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\system32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\system32\wbem\wmiapsrv.exe
[wscsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs
[xmlprov] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://ie.search.msn...st/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn...st/srchcust.htm
SEARCH: [Default_Search_URL] http://www.microsoft...=ie&ar=iesearch


**** Complete IE Options ****

IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\system32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.novica.com/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [FullScreen] no
IEOPT: [LastCheckedHi] +_ล
IEOPT: [Window_Placement] ,
IEOPT: [FormSuggest PW Ask] no
IEOPT: [Use FormSuggest] no
IEOPT: [AddToFavoritesExpanded]
IEOPT: [FormSuggest Passwords] no
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Save Directory] C:\Documents and Settings\novica7\Desktop\
IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Check_Associations] yes
IEOPT: [Use Search Asst] no
IEOPT: [HistoryViewType]
IEOPT: [Expand Alt Text] no
IEOPT: [Move System Caret] no
IEOPT: [NscSingleExpand]
IEOPT: [NoWebJITSetup]
IEOPT: [Page_Transitions]
IEOPT: [FavIntelliMenus] no
IEOPT: [Enable Browser Extensions] yes
IEOPT: [UseThemes]
IEOPT: [Force Offscreen Composition]
IEOPT: [AllowWindowReuse]
IEOPT: [Friendly http errors] yes
IEOPT: [ShowGoButton] yes
IEOPT: [SmoothScroll]
IEOPT: [Enable AutoImageResize] yes
IEOPT: [Enable_MyPics_Hoverbar] yes
IEOPT: [Play_Animations] yes
IEOPT: [Play_Background_Sounds] yes
IEOPT: [Display Inline Videos] yes
IEOPT: [Show image placeholders]
IEOPT: [Print_Background] no
IEOPT: [AutoSearch]
IEOPT: [hpnt]
IEOPT: [Start Page_bak]
IEOPT: [Search Bar_bak] http://best-search.c...v=6&aff=5172485
IEOPT: [Search Page_bak] http://best-search.c...v=6&aff=5172485
IEOPT: [Use Search Assistant] no
IEOPT: [Use Custom Search URL]
IEOPT: [Search Page] http://www.microsoft...=ie&ar=iesearch
IEOPT: [Default_Search_URL] http://www.microsoft...=ie&ar=iesearch
IEOPT: [Search Page] http://www.microsoft...=ie&ar=iesearch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.microsoft...B_PVER}&ar=home
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Default_Page_URL] http://www.microsoft...er=6&ar=msnhome

- - - -
SpSeHjfix:


(6/20/48 14:23:57) SPSeHjFix started v1.1.2
(6/20/48 14:23:57) OS: WinXP Service Pack 2 (5.1.2600)
(6/20/48 14:23:57) Language: ไทย
(6/20/48 14:23:57) Win-Path: C:\WINDOWS
(6/20/48 14:23:57) System-Path: C:\WINDOWS\system32
(6/20/48 14:23:57) Temp-Path: C:\DOCUME~1\novica7\LOCALS~1\Temp\
(6/20/48 14:24:14) Disinfection started
(6/20/48 14:24:14) Bad-Dll(IEP): (not found)
(6/20/48 14:24:14) Bad-Dll(IEP) in BHO: (not found)
(6/20/48 14:24:14) UBF: 4 - UBB: 1 - UBR: 6
(6/20/48 14:24:14) UBF: 4 - UBB: 1 - UBR: 6
(6/20/48 14:24:14) Bad IE-pages: (none)
(6/20/48 14:24:14) Stealth-String not found
(6/20/48 14:24:14) Not infected->END


- - - -
Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 16:47:27, 20/6/2548
+ Report-Checksum: C3BBC6FF

+ Date of database: 20/6/2548
+ Version of scan engine: v3.0

+ Duration: 130 min
+ Scanned Files: 55047
+ Speed: 7.05 Files/Second
+ Infected files: 13
+ Removed files: 13
+ Files put in quarantine: 13
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\novica7\Cookies\novica7@statse.webtrendslive[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@atdmt[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@cgi-bin[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@doubleclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@bluestreak[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@advertising[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@www.smartadserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@cgi-bin[3].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\novica7\Cookies\novica7@247realmedia[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup


::Report End

- - - -
HJT (first):

Logfile of HijackThis v1.99.1
Scan saved at 16:49:20, on 20/6/2548
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\novica7\Desktop\Secure\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novica.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *hot-searches.com*;*lender-search.com*;<local>
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Coloreal Lite.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Lite\COLOREALLITE.EXE
O4 - Global Startup: Coloreal Lite.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Lite\COLOREALLITE.EXE
O4 - Global Startup: Harrap's Shorter.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PhoenixNet - {2626e980-0453-11d7-9985-0020183ca38a} - http://www.seqdl.com...=65457&CID=9875 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9223BEE-9C0F-49BC-BD1D-EB837EE1650E}: Domain = domain
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9223BEE-9C0F-49BC-BD1D-EB837EE1650E}: NameServer = 203.146.0.20,203.146.0.30
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

- - - -
HJT (second):


Logfile of HijackThis v1.99.1
Scan saved at 17:18:50, on 20/6/2548
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Harrap's Multim้dia\Shorter\bin\HiHarrapsTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\novica7\Desktop\Secure\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novica.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Coloreal Lite.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Lite\COLOREALLITE.EXE
O4 - Global Startup: Coloreal Lite.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Lite\COLOREALLITE.EXE
O4 - Global Startup: Harrap's Shorter.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PhoenixNet - {2626e980-0453-11d7-9985-0020183ca38a} - http://www.seqdl.com...=65457&CID=9875 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#8
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Hi again,

Reboot into safe mode again

ensure pc setup to show hidden files

using windows explorer locate and delete the following files:

C:\WINDOWS\SYSTEM32\apuc.dll
C:\WINDOWS\satmat.ini
C:\WINDOWS\Downloaded Program Files\BridgeX.inf
C:\WINDOWS\inf\twaintec.inf
C:\WINDOWS\tpziqi.exe


Reboot normally, rescan with HJT and post the log back

Do you also still have ABI in add/remove list in control panel?

if so do nothing with it , just tell me

Edited by usetobe, 20 June 2005 - 10:04 AM.

  • 0

#9
Richelieu

Richelieu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Usetobe,

I couldn't find the following file:
C:\WINDOWS\Downloaded Program Files\BridgeX.inf

I still have ABI in add/remove list.

Please find below the new log.

Thanks again,

- - -
Logfile of HijackThis v1.99.1
Scan saved at 10:01:00, on 21/6/2548
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Harrap's Multim้dia\Shorter\bin\HiHarrapsTray.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\novica7\Desktop\Secure\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.novica.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.0.1:80
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Coloreal Lite.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Lite\COLOREALLITE.EXE
O4 - Global Startup: Coloreal Lite.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Lite\COLOREALLITE.EXE
O4 - Global Startup: Harrap's Shorter.lnk = ?
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PhoenixNet - {2626e980-0453-11d7-9985-0020183ca38a} - http://www.seqdl.com...=65457&CID=9875 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#10
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Reboot into Safe mode, open up HJT and click on Misc Tools section, then click on Open uninstall manager.

In the list highlight the offending ABI entry, say bye bye and click on delete this entry.

Reboot PC normally

Are you familiar with Harrap's Multime้dia?

Let me know how you get on.
  • 0

#11
Richelieu

Richelieu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
No more ABI entry. Yes Harrap's Multime้dia is one of my dictionnaries.

Thanks again for everything ... you are awesome!!!

Cheers.
  • 0

#12
Guest_usetobe_*

Guest_usetobe_*
  • Guest
From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean. ;)

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and AntiSpyware Net's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#13
Richelieu

Richelieu

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
A thousand thanks for your help!!
  • 0

#14
Guest_usetobe_*

Guest_usetobe_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP