Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

antivirus gold , black screen with warning [CLOSED]


  • This topic is locked This topic is locked

#1
Piratacobra

Piratacobra

    Member

  • Member
  • PipPip
  • 71 posts
first of all, i got that dreadful black html wallpaper with "Warning! You´re in danger!.. bla,bla,bla", three icons that inform me that "deleting the icon won´t unistall the program":

antivirus gold
PSGuard
online dating
Remove spyware (with ghostbusters logo)

Down, in the right corner, i got several smal icons, one is anvirus gold,(circle with a "A"), and a yellow triangle with an exclamation symbol.

Each time i make click on any icon on the desktop, antivir warns that

C:\\windows\system\hpba57.tmp is the trojan horse tr/click.age.dj.5.c
TR/CLICK.AGENT.CR.4
TR/PUPER.G.3

i can only tell antivir to move to quarantine directory or keeps making popups


Also, I Explorer open as default to page http://www.oneclicksearches.com/



I had made the following STEPS as described in post"You must read this before posting"
(i spend an entire day, actually -_- )

CLEANUP, AD AWARE, CWSHREDDER,SPYBOT, NO RESULTS


trend housecall did not detected any trojans in my PC

--------------------------
AVG
DETECTED THE FOLLOWING:

TROJAN DOWNLOADER.GENERIC.XP

SUPPOSELY IT WAS DELETED

--------------------------------
antivir:
HAS THE FOLLOWING LOG


Memory test OK
Master boot record of hard disk HD0 OK
Boot record of drive C: OK

Drive: C:
Volume ID: Serial No.: 4C-4228
C:\
pagefile.sys
Access denied! Error during file opening!
This is a Windows swap file. This file is locked by Windows.
Error code: 0x000D
WARNING! Access error/file locked!
C:\Archivos de programa\WinRAR
rarnew.dat
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
C:\Documents and Settings\Usuario\Configuración local\Archivos temporales de

Internet\Content.IE5\89Q3CXAV
s_giselle_bundchen[1].zip
ArchiveType: ZIP
NOTE! No files to extract.
C:\Documents and Settings\Usuario\Configuración local\Archivos temporales de

Internet\Content.IE5\WD23W12V
CADGCJHD.HTM
[DETECTION] Contains signature of the HTML script virus HTML/Exploit.Mhtml
WAS DELETED!
C:\Documents and Settings\Usuario\Configuración local\Temp
JETA056.tmp
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
Error! Could not change directory: System Volume Information
C:\WINDOWS
popuper.exe
[DETECTION] Is the Trojan horse TR/Puper.h.3
Could not be deleted!
C:\WINDOWS\system32
hhk.dll
[DETECTION] Is the Trojan horse TR/Puper.G.3
Could not be deleted!
hp9071.tmp
[DETECTION] Is the Trojan horse TR/Click.Age.dj.5.C
Could not be deleted!
msole32.exe
[DETECTION] Is the Trojan horse TR/Click.Agent.cr.4
Could not be deleted!
C:\WINDOWS\system32\config
default
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SAM
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SECURITY
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
software
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
system
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
C:\WINDOWS\system32\drivers
atapi.sys
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!

End of scan: Jueves, 16 de Junio de 2005 20:47
Time taken: 31:14 min


4255 directories were scanned
79227 files were scanned
12 warning messages were issued
1 file was deleted
0 files were repaired
5 detections

---------------------------------
ewido:

trojan.Puper.h

OLEADM.DLL
WINDOWS\SYSTEM32
TROJAN.AGENT.EQ

---------------------------------------------------------
ewido security suite - Report de Proceso
---------------------------------------------------------

+ Creado en: 07:28:09 p.m., 17/06/2005
+ Report-Checksum: AF331466

0: System Process
4: System Process
320: C:\Archivos de programa\OpenOffice.org 1.9.104\program\soffice.BIN
372: C:\WINDOWS\system32\spoolsv.exe
420: C:\Archivos de programa\ewido\security suite\SecuritySuite.exe
568: C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
624: C:\WINDOWS\SOUNDMAN.EXE
632: C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
648: C:\ARCHIV~1\SYMANT~1\VPTray.exe
664: C:\Archivos de programa\Alcohol Soft\Alcohol 120\Alcohol.exe
676: C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
716: C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
724: C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
820: C:\Archivos de programa\AVPersonal\AVGUARD.EXE
840: C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
856: C:\Archivos de programa\AVPersonal\AVGNT.EXE
904: C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
944: C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
976: C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
980: C:\Archivos de programa\AVPersonal\AVWUPSRV.EXE
1016: C:\ARCHIV~1\Cacheman\Cacheman.exe
1048: C:\WINDOWS\System32\hookdump.exe
1056: C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
1104: \SystemRoot\System32\smss.exe
1148: C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
1176: \??\C:\WINDOWS\system32\csrss.exe
1212: \??\C:\WINDOWS\system32\winlogon.exe
1232: C:\Archivos de programa\ewido\security suite\ewidoguard.exe
1256: C:\WINDOWS\system32\services.exe
1268: C:\WINDOWS\system32\lsass.exe
1444: C:\WINDOWS\system32\svchost.exe
1488: C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
1520: C:\WINDOWS\System32\svchost.exe
1668: C:\WINDOWS\System32\svchost.exe
1724: C:\WINDOWS\System32\svchost.exe
1788: C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
1824: C:\Archivos de programa\OpenOffice.org 1.9.104\program\soffice.exe
1856: C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
1872: C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
1936: C:\WINDOWS\System32\nvsvc32.exe
2020: C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
2640: C:\WINDOWS\System32\intmon.exe
3080: C:\WINDOWS\System32\shnlog.exe
3520: C:\WINDOWS\explorer.exe


-------------------------------------

TDS-3: no trojans reported whatsoever


KASPERSKY online gives the following log:

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Friday, June 17, 2005 14:06:11
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/06/2005
Kaspersky Anti-Virus database records: 126717
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 60063
Number of viruses found: 8
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 3013 sec

Infected Object Name - Virus Name
C:\Archivos de programa\AVPersonal\INFECTED\HHK.DLL.001 Infected: Trojan.Win32.Puper.q
C:\Archivos de programa\AVPersonal\INFECTED\HHK.DLL.002 Infected: Trojan.Win32.Puper.q
C:\Archivos de programa\AVPersonal\INFECTED\HHK.DLL.VIR Infected: Trojan.Win32.Puper.q
C:\Documents and Settings\All Users\Datos de programa\Symantec\Symantec AntiVirus Corporate

Edition\7.5\Quarantine\06100000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Datos de programa\Symantec\Symantec AntiVirus Corporate

Edition\7.5\Quarantine\06100000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Datos de programa\Symantec\Symantec AntiVirus Corporate

Edition\7.5\Quarantine\06100000.VBN/Beyond.class Infected:

Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Datos de programa\Symantec\Symantec AntiVirus Corporate

Edition\7.5\Quarantine\06100000.VBN Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\WINDOWS\system32\hp8731.tmp Infected: Trojan.Win32.Puper.q
C:\WINDOWS\system32\intmon.exe Infected: Trojan.Win32.Puper.q
C:\WINDOWS\system32\intmonp.exe Infected: Trojan.Win32.Puper.o
C:\WINDOWS\system32\oleadm.dll Infected: Trojan.Win32.Agent.eq
C:\WINDOWS\system32\shnlog.exe Infected: Trojan.Win32.StartPage.zg
C:\WINDOWS\system32\wininet.dll Infected: Virus.Win32.Nsag.a
C:\WINDOWS\uninstIU.exe Infected: Trojan.Win32.Agent.eo

Scan process completed.


my next topic will be the hijackthis log, thanks
  • 0

Advertisements


#2
Piratacobra

Piratacobra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
this is my HJT log, computer freshly rebooted
I have tried several solutions posted before me, but with no results,

Thank you

Logfile of HijackThis v1.99.1
Scan saved at 12:10:09 p.m., on 18/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\shnlog.exe
C:\WINDOWS\System32\msole32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\ARCHIV~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\intmon.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\AntivirusGold\AntivirusGold.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\AntivirusGold\AntivirusGold.exe
C:\ARCHIV~1\Cacheman\Cacheman.exe
C:\WINDOWS\System32\hookdump.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\OpenOffice.org 1.9.104\program\soffice.exe
C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\OpenOffice.org 1.9.104\program\soffice.BIN
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpC301.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Archivos de programa\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Archivos de programa\AntivirusGold\AntivirusGold.exe /h
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Cacheman] C:\ARCHIV~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Startup: OpenOffice.org 1.9.104.lnk = C:\Archivos de programa\OpenOffice.org 1.9.104\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZUxdm022YYVE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117923256399
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F01D4F-6EF3-458C-9263-2F049DEC31FF}: NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Archivos de programa\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
  • 0

#3
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Piratacobra

Please post a new HJT.log so we can start the fix

Kc :tazz:
  • 0

#4
Piratacobra

Piratacobra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
Hi, thatman, here is the new HJT. log, again, freshly rebooted

Have fun



Logfile of HijackThis v1.99.1
Scan saved at 09:04:04 p.m., on 28/06/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\ARCHIV~1\SYMANT~1\VPTray.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\AntivirusGold\AntivirusGold.exe
C:\Archivos de programa\AntivirusGold\AntivirusGold.exe
C:\Archivos de programa\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Cacheman\Cacheman.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\ewido\security suite\ewidoguard.exe
C:\Archivos de programa\OpenOffice.org 1.9.104\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 1.9.104\program\soffice.BIN
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\winvnc.exe
C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\Archivos de programa\Ciber Boss 4 Cliente\cliente.exe /init
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpFFE2.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\archivos de programa\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Archivos de programa\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AntivirusGold] C:\Archivos de programa\AntivirusGold\AntivirusGold.exe /h
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Archivos de programa\Archivos comunes\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Archivos de programa\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\WINDOWS\System32\winvnc.exe" -servicehelper
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Cacheman] C:\ARCHIV~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O4 - Startup: OpenOffice.org 1.9.104.lnk = C:\Archivos de programa\OpenOffice.org 1.9.104\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZUxdm022YYVE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Instantánea de caché de la página - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Páginas similares - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Páginas vinculadas - res://c:\archivos de programa\google\GoogleToolbar1.dll/cmbacklinks.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117923256399
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F01D4F-6EF3-458C-9263-2F049DEC31FF}: NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Archivos de programa\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\WINDOWS\System32\winvnc.exe" -service (file missing)
  • 0

#5
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Piratacobra

Please read through the instructions before you start (you may want to print this out).

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Download Pocket Killbox and unzip it; save it to your Desktop.

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop. Don't run it yet!


Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Please set your system to show all files; please see here if you're unsure how to do this.

Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop. Please do not run it yet,

Reboot into Safe Mode: please see here if you are not sure how to do this.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpFFE2.tmp
O4 - HKLM\..\Run: [AntivirusGold] C:\Archivos de programa\AntivirusGold\AntivirusGold.exe /h
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\ARCHIV~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O8 - Extra context menu item: &Search - http://bar.mywebsear...?p=ZUxdm022YYVE
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.166.110....chm::/file.exe

Click on Fix Checked when finished and exit HijackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

C:\Archivos de programa\AntivirusGold<--Delete the whole folder

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run CWShredder to fix your CWS problem.

Run AD-Aware se

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\hpFFE2.tmp
C:\WINDOWS\System32\hookdump.exe
C:tsk.mht!http://69.50.166.110....chm::/file.exe.
Let the system reboot.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
[b]Please post the logs From Panda, Ewido HJT.log
We will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#6
Piratacobra

Piratacobra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
Hello, thatman, thanks for the help, the oneclick web AND the antivirus gold are gone:
The only peculiar thing is that, accordint to your instruction, I must first reboot in safe mode and then run HJT, but in save mode the oneclick web page registries does not appear, only appears in normal boot.
However, i followed all you posted and after rebooted,, runned HJT and removed the oneclick registries. I rebooted one more time and rechecked with HJT, all the oneclick registries are gone, thank god.
there are the logs you asked for:

PANDA:

Incident Status Location

Adware:Adware/PsGuard No disinfected C:\Archivos de programa\PSGuard\PSGuard.exe
Adware:Adware/PsGuard No disinfected C:\Archivos de programa\PSGuard\PSGuardSkin.dll
Adware:Adware/PsGuard No disinfected C:\Archivos de programa\PSGuard\Uninstall.exe
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Escritorio\Online Dating.url
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\All Users\Escritorio\PSGuard.lnk
Adware:Adware/Popuper No disinfected C:\Documents and Settings\All Users\Escritorio\Remove Spyware.url
Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Usuario\Datos de programa\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
Adware:Adware/PsGuard No disinfected C:\Documents and Settings\Usuario\Datos de programa\Microsoft\Internet Explorer\Quick Launch\PSGuard.lnk
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Usuario\Favoritos\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Usuario\Favoritos\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Usuario\Favoritos\Network Security.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Gambling.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Adipex.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Alprazolam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Carisoprodol.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Diazepam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Hydrocodone.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Lortab.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Online Pharmacy.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Prozac.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Valium.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Vicodin.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Xanax.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Usuario\Favoritos\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Usuario\Favoritos\Spam Filters.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Usuario\Favoritos\Take It Here - Free [bleep] TGP.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\Usuario\Favoritos\Web Detective.url
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8.inf
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll

===============================

Ewido

---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 12:00:45 p.m., 04/07/2005
+ Report-Checksum: 470573E3

+ Fecha de la base de datos: 04/07/2005
+ Versión del scanner: v3.0

+ Duración: 54 min
+ Archivos explorados: 63554
+ Velocidad: 19.61 Archivos/Segundo
+ Archivos infectados: 12
+ Archivos eliminados: 12
+ Archivos puestos en cuarentena: 12
+ Archivos que no se han podido abrir: 0
+ Archivos que no se han podido limpiar: 0

+ Carpeta: Si
+ Encriptar: Si
+ Archivos: No

+ Items explorados:
C:\
O:\

+ Resultados de la exploración:
C:\Archivos de programa\TDS3\xDynamic\TDS.Unpk\awm226.exe -> Dialer.Generic -> Limpio con backup
C:\Documents and Settings\Usuario\Cookies\usuario@as1.falkag[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\Usuario\Cookies\usuario@cgi-bin[2].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\Usuario\Cookies\usuario@geocities[2].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\Documents and Settings\Usuario\Cookies\usuario@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Limpio con backup
C:\WINDOWS\q1819953_disk.dll -> TrojanDownloader.Delf.pa -> Limpio con backup
C:\WINDOWS\system32\AWM226.exe -> Dialer.Generic -> Limpio con backup
C:\WINDOWS\system32\f3PSSavr.scr -> Spyware.MyWebSearch -> Limpio con backup
C:\WINDOWS\system32\msole32.exe -> Spyware.Hijacker.Generic -> Limpio con backup
C:\WINDOWS\system32\ole32vbs.exe -> Spyware.Hijacker.Generic -> Limpio con backup
C:\WINDOWS\system32\shnlog.exe -> Trojan.Puper.t -> Limpio con backup
C:\WINDOWS\uninstIU.exe -> Trojan.Agent.eo -> Limpio con backup


::Fin Report

==============================


HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 02:08:39 p.m., on 04/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\ARCHIV~1\SYMANT~1\VPTray.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Cacheman\Cacheman.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\OpenOffice.org 1.9.104\program\soffice.exe
C:\Archivos de programa\OpenOffice.org 1.9.104\program\soffice.BIN
C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\winvnc.exe
C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Archivos de programa\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Archivos de programa\Archivos comunes\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Archivos de programa\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\WINDOWS\System32\winvnc.exe" -servicehelper
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Cacheman] C:\ARCHIV~1\Cacheman\Cacheman.exe
O4 - Startup: OpenOffice.org 1.9.104.lnk = C:\Archivos de programa\OpenOffice.org 1.9.104\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117923256399
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F01D4F-6EF3-458C-9263-2F049DEC31FF}: NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Archivos de programa\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\WINDOWS\System32\winvnc.exe" -service (file missing)
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi Piratacobra

Please read through the instructions before you start (you may want to print this out).

Download Pocket Killbox and unzip it; save it to your Desktop.

Please set your system to show all files; please see here if you're unsure how to do this.

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

VNC Server (winvnc)
When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Then please run Ewido, and run a full scan. Save the logfile from the scan.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\WINDOWS\System32\winvnc.exe" -service (file missing)

Click on Fix Checked when finished and exit HijackThis.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\Archivos de programa\PSGuard\PSGuard.exe
C:\Documents and Settings\All Users\Escritorio\Online Dating.url
C:\Documents and Settings\All Users\Escritorio\PSGuard.lnk
C:\Documents and Settings\All Users\Escritorio\Remove Spyware.url
C:\Documents and Settings\Usuario\Datos de programa\Microsoft\Internet Explorer\Quick Launch\AntivirusGold 2.0.lnk
C:\Documents and Settings\Usuario\Datos de programa\Microsoft\Internet Explorer\Quick Launch\PSGuard.lnk
C:\Documents and Settings\Usuario\Favoritos\Black Jack Online.url
C:\Documents and Settings\Usuario\Favoritos\Home Loan.url
C:\Documents and Settings\Usuario\Favoritos\Network Security.url
C:\Documents and Settings\Usuario\Favoritos\Online Dating.url
C:\Documents and Settings\Usuario\Favoritos\Online Gambling\Online Gambling.url
C:\Documents and Settings\Usuario\Favoritos\Online Gambling.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Adipex.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Alprazolam.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Carisoprodol.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Diazepam.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Hydrocodone.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Lortab.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Online Pharmacy.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Prozac.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Valium.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Vicodin.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy\Xanax.url
C:\Documents and Settings\Usuario\Favoritos\Online Pharmacy.url
C:\Documents and Settings\Usuario\Favoritos\Remove Spyware.url
C:\Documents and Settings\Usuario\Favoritos\Spam Filters.url
C:\Documents and Settings\Usuario\Favoritos\Take It Here - Free [bleep] TGP.url
C:\Documents and Settings\Usuario\Favoritos\Web Detective.url
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8.inf
Let the system reboot.

C:\Archivos de programa\PSGuard<--Delete the whole folder

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda, Ewido HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#8
Piratacobra

Piratacobra

    Member

  • Topic Starter
  • Member
  • PipPip
  • 71 posts
Hi, thatman, when you put at the end of every message:

"Please post the logs From Panda, Ewido HJT.logWe will need them to remove previous infections that have left files on your system."

Is that your signature or do you still detect some malware left in my system? ;)

Whaever, the OS is working property and all serious malware has been expelled, The only thing would be a thing in the Display Properties Panel, is has missing tabs, but i am not sure if it is due to a remaining malware or is due to a damaged file; only got two tabs, Screensaver and Settings. Would it be better if i try to repair Win XP?

anyway, there are the logs, just to check if I had done things properly, and Thanks in advance for helping me clean those devil critters!! :tazz:

PS: That pron url was already deleted with the Killbox ;)

Panda:

Incident Status Location

Adware:Adware/Popuper No disinfected C:\Documents and Settings\Usuario\Favoritos\Take It Here - Free [bleep] TGP.url
Virus:W32/Smitfraud.A Disinfected C:\WINDOWS\system32\wininet.dll
Ewido:

---------------------------------------------------------
ewido security suite - Report de exploración
---------------------------------------------------------

+ Creado en: 12:00:34 p.m., 05/07/2005
+ Report-Checksum: F201D6A9

+ Fecha de la base de datos: 04/07/2005
+ Versión del scanner: v3.0

+ Duración: 36 min
+ Archivos explorados: 61932
+ Velocidad: 28.52 Archivos/Segundo
+ Archivos infectados: 0
+ Archivos eliminados: 0
+ Archivos puestos en cuarentena: 0
+ Archivos que no se han podido abrir: 0
+ Archivos que no se han podido limpiar: 0

+ Carpeta: Si
+ Encriptar: Si
+ Archivos: No

+ Items explorados:
C:\
O:\

+ Resultados de la exploración:
No se han encontrado archivos infectados!


::Fin Report


HJT:

Logfile of HijackThis v1.99.1
Scan saved at 09:46:03 p.m., on 05/07/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\ARCHIV~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Alcohol Soft\Alcohol 120\Alcohol.exe
C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Archivos de programa\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe
C:\ARCHIV~1\Cacheman\Cacheman.exe
C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Archivos de programa\OpenOffice.org 1.9.104\program\soffice.exe
C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
C:\Archivos de programa\OpenOffice.org 1.9.104\program\soffice.BIN
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\winvnc.exe
C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Alcohol.exe Autorun] C:\Archivos de programa\Alcohol Soft\Alcohol 120\Alcohol.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Archivos de programa\Archivos comunes\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Archivos de programa\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Archivos de programa\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\WINDOWS\System32\winvnc.exe" -servicehelper
O4 - HKCU\..\Run: [MsnMsgr] "C:\Archivos de programa\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Archivos de programa\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Cacheman] C:\ARCHIV~1\Cacheman\Cacheman.exe
O4 - Startup: OpenOffice.org 1.9.104.lnk = C:\Archivos de programa\OpenOffice.org 1.9.104\program\quickstart.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\ARCHIV~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1117923256399
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A4F01D4F-6EF3-458C-9263-2F049DEC31FF}: NameServer = 192.168.0.1
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Archivos de programa\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Archivos de programa\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Archivos de programa\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\WINDOWS\System32\winvnc.exe" -service (file missing)

Domo arigato
  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Start of fix

Hi Piratacobra

To scan individual files for malware analysis, you can use Jotti here: http://virusscan.jotti.org/
Please check the following file: C:\Archivos de programa\Raxco\PerfectDisk\ PDSched.exe<--This file

Also knowen as (PDSched.exe WORM_SDBOT.CN)

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Please download SpyBot V1.4 http://www.majorgeek...wnload2471.html Update the program then run it.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\WINDOWS\System32\winvnc.exe" -service (file missing)
Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
C:\WINDOWS\System32\winvnc.exe[/B]
Let the system reboot.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please download spyware-scan and save it to your desktop.

Please post the logs From Ewido and HijackThis We will need them to remove previous infections that have left files on your system.

Kc :tazz:

End of fix
  • 0

#10
Guest_thatman_*

Guest_thatman_*
  • Guest
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP