[coachwife6]

Run the online scan from Panda and copy and paste the results.

http://www.pandasoft...n_principal.htm

You will need to use Internet Explorer to download.

[Advertisements]

I finally managed to get a report.
Here are the details:


Incident Status Location

Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Online Dating.url
Adware:Adware/Smitfraud No disinfected Windows Registry
Adware:Adware/Antivirus-gold No disinfected C:\WINNT\screen.html
Virus:W32/Sdbot.EEX.worm Disinfected C:\CFBD.exe
Virus:Application/Poliphonic No disinfected Personal Folders\Personal\11.02 Coding Workshop Polyphonic Wizard 2.3.3.zip[cwpolywz.file]
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Online Dating.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Remove Spyware.url
Adware:Adware/Antivirus-gold No disinfected C:\WINNT\screen.html
Adware:Adware/Antivirus-gold No disinfected C:\WINNT\system32\hookdump.exe.filez
Virus:W32/Codbot.AV.worm Disinfected C:\WINNT\system32\Netlib.exe
Virus:W32/Sdbot.EEX.worm Disinfected C:\WINNT\system32\phqghum.exe
Now where do we go from here?

BV

[BlackVinyl]

I finally managed to get a report.
Here are the details:


Incident Status Location

Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Online Dating.url
Adware:Adware/Smitfraud No disinfected Windows Registry
Adware:Adware/Antivirus-gold No disinfected C:\WINNT\screen.html
Virus:W32/Sdbot.EEX.worm Disinfected C:\CFBD.exe
Virus:Application/Poliphonic No disinfected Personal Folders\Personal\11.02 Coding Workshop Polyphonic Wizard 2.3.3.zip[cwpolywz.file]
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Online Dating.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Desktop\Remove Spyware.url
Adware:Adware/Antivirus-gold No disinfected C:\WINNT\screen.html
Adware:Adware/Antivirus-gold No disinfected C:\WINNT\system32\hookdump.exe.filez
Virus:W32/Codbot.AV.worm Disinfected C:\WINNT\system32\Netlib.exe
Virus:W32/Sdbot.EEX.worm Disinfected C:\WINNT\system32\phqghum.exe
Now where do we go from here?

BV

[coachwife6]

irus:Application/Poliphonic No disinfected Personal Folders\Personal\11.02 Coding Workshop Polyphonic Wizard 2.3.3.zip[cwpolywz.file]

what is the above?

[BlackVinyl]

Hello,
Coding Workshop Polyphonic Wizard 2.3.3.zip is a program that allows you to send polyphonic ring tones to your mobile/cell phone via the internet.

BV

[coachwife6]

yes, I saw that in doing a search. there were also several references to it being a cracked program. is that true?

[BlackVinyl]

I think so, but I have never used it so I don't know for certain whether it's cracked or whether it works or not.

Where do we go from here?

BV

[coachwife6]

If you're running a cracked copy of something, I can't help you. It's in our board guidelines.

[BlackVinyl]

OK then.
I will remove it and delete it.
I will let you know when I have done it.

Cheers,

BV

[coachwife6]

After you remove it, please run a new log and post it here.

[BlackVinyl]

OK will do.
Now, when you say new log, do you mean HJT or Active Scan?

Cheers,

BV

[coachwife6]

Hijack This log.

[BlackVinyl]

Hi,
I was thinking about what you said regarding that prog, however, when I reformatted the pc prior to getting this virus/trojan, I never installed the program again, so it should not be on there at all!!!

I don't know how it appeared in your searching techniques?

However, I did a search on my pc and found a couple of links for that prog but they seemed to be html links only. Nevertheless, I still deleted them.

I will run another HJT log and post it for you to see.

Thanks,

BV

Edited by BlackVinyl, 07 July 2005 - 02:24 AM.

[BlackVinyl]

Hi there,
OK I got the latest HJT log for you, but as I said, that prog should not be on this pc as I formatted the HD not even a week before it was infected again.

Here's the log...

Logfile of HijackThis v1.99.1
Scan saved at 11:56:50 PM, on 7/07/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP4 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\SpySweeperV3.2.0.147\SpySweeper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\trojfix\HJT\HijackThis.exe

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\SpySweeperV3.2.0.147\SpySweeper.exe" /0
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat

6.0\Distillr\acrotray.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5B6D28B5-5136-4712-B297-27953F1D9DEC}: NameServer =

192.189.54.17 203.8.183.1
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp.

- C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINNT\system32\Netlib.exe

(file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

Let me know what you would like me to do next.

Thanks,

BV

[BlackVinyl]

Oh, I forgot 1 thing... the past few days I have been receiving a warning from Norton that I have a virus by the name of...
W32.Desktophijack in the file c:\winnt\system32\wininet.dll

Norton is unable to repair or delete it.

Thanks,

BV

[coachwife6]

I am holding off on this because of your infection. One of our members has been asking for samples of this infection and I wanted to see if he wanted to look at it