Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora Strikes Again [RESOLVED]


  • This topic is locked This topic is locked

#1
grrlpwr

grrlpwr

    Member

  • Member
  • PipPip
  • 38 posts
Hi,
I got such fantastic help for my last post re: the aurora spyware, etc, that I am back again. Unfortunatley, my second co-workers computer appears to be infected as well.

I have followed the suggested steps before posting and below is my HijackThis Log, as well as my Ewido log.

Any help will be greatly appreciated!!

grrlpwr

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:58:45 PM, on 6/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120173946718
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://146.82.109.20...tion/msiein.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ewido Log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:12:29 PM, 6/30/2005
+ Report-Checksum: 1EAA5D6

+ Date of database: 6/30/2005
+ Version of scan engine: v3.0

+ Duration: 24 min
+ Scanned Files: 59937
+ Speed: 41.62 Files/Second
+ Infected files: 130
+ Removed files: 130
+ Files put in quarantine: 130
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\aclu\Local Settings\Temp\temp.frB34F -> Trojan.Imiserv.c -> Cleaned with backup
C:\Documents and Settings\aclu\Local Settings\Temp\temp.frFCDE -> Trojan.Agent.db -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\130190AE-1A30-454B-A327-A8ED79\661BA06A-B095-41F1-8862-F8E5EE -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\13D30EC1-692B-4813-BC18-DED8F8\4524EBED-88D2-4CC3-88F6-62EA16 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\18288D23-0692-4B7C-9527-63E1FF\015B6CFC-AC80-4602-8BDD-88BD95 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\186F389E-BD75-43A1-94D5-C9058E\13C4FA52-62CC-4654-89E9-4EB437 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\1CCF2229-D189-4560-BEFD-812525\6FEEBC8C-E674-4408-9638-127EDD -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\1DD31F8A-3B16-4A06-9249-FA6468\6B6EFCBD-9EE2-4BB2-8F01-BF2925 -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\1DD31F8A-3B16-4A06-9249-FA6468\CB571691-59A2-4A4F-AD50-867DA5 -> Spyware.ImiBar.d -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\33CA90C2-D53C-4C9A-8140-94C6A7\AA385F3C-3B4C-44FA-B3AE-502DE0 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\34858D1E-83FA-47DB-8507-4DB1BC\7C5E24DE-8B8F-4E60-8F45-E1FB4E -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\34858D1E-83FA-47DB-8507-4DB1BC\F6969DE8-243C-447A-A758-2C6FA2 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\3DD40472-F4B3-4F95-BA94-768936\857B5D90-E1C9-405D-955F-0978A6 -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\3DD40472-F4B3-4F95-BA94-768936\D89F1A86-86FE-4550-B38A-260AF4 -> Spyware.ImiBar.d -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\41DC7297-A989-42B3-B3A8-778B27\9EBE750A-DC4C-4319-99B6-9E3DC0 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\4E740DD8-E7B3-4E21-8FA2-9E52E8\67B4187C-94BD-4676-8F98-A9D0FE -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\52286FFB-A270-436B-867E-33C094\1AFFF4C3-DB72-4DFA-B3AD-4AE85E -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\52349761-003D-4E70-A6DC-AB0BE7\1F8329BF-AF46-4622-B044-3F64BF -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\52349761-003D-4E70-A6DC-AB0BE7\4A502E75-8821-4C1F-83EA-BEAB49 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\52349761-003D-4E70-A6DC-AB0BE7\E2595975-D044-426D-A40C-146F1E -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\55CB0EC2-7604-4841-95D2-7B25F4\22D890A9-938C-4119-952B-58F59B -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\56F97433-A020-4819-878B-5C2911\FFFF588B-22A9-4447-982A-E9986D -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\5E7BA007-A1A3-4A0C-A779-ACDCFF\577D9AE8-9263-434C-9FAF-D4E9E6 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\5E7BA007-A1A3-4A0C-A779-ACDCFF\DD66139B-F0F6-48A6-B0FC-B291D7 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\5E991551-335E-45ED-BDFF-8FA235\EC4DA7A7-E2D1-456C-95D1-7B375A -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\62CECF8F-EB7E-40F6-AE95-E03755\0B06906F-9091-4688-ACB6-1BE264 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\6309D691-56FD-481B-BF33-37EC58\2F92A353-06A7-43B5-A406-3F5AB3 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\6614290D-4045-46B1-9551-5C4113\F849B936-300E-4C39-8F22-8422CA -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\86B53379-FE47-4E3F-B78D-F55085\39030B4A-4A7F-46A5-9AD3-675BD7 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\86B53379-FE47-4E3F-B78D-F55085\5580490D-7F9A-42C3-83A3-6493BD -> Trojan.Stervis.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\86B53379-FE47-4E3F-B78D-F55085\8703B4D8-B4C4-41DF-907C-BAF287 -> Trojan.Nail -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\91390161-B34E-4CB7-AB94-782A16\A0C0EC08-9CCE-4FCE-952C-E6644E -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\933BFFE2-1242-4205-84A6-63011B\41C079BC-6C8C-4746-B47C-FE0C6F -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\95654D96-6480-4578-8CEB-735013\08045EAE-C02A-44DC-A5E5-C42E4F -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\95654D96-6480-4578-8CEB-735013\6DDB8B78-2930-47E7-8801-AD3209 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\95A5270F-EFCE-4029-83C3-1F9562\620FFC54-E2D7-435C-803A-8DB9EF -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9CA6FDD7-961C-4ED6-BA54-0AA6A6\3321B411-FDD0-4BE1-821C-6A3F7C -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\A4495345-A1AC-4CF8-85C9-E9A261\44184068-6F26-4249-B78D-6FB40B -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\A6747917-1E68-47C1-AE9B-D31FDD\CB5700BC-903E-449F-8FB8-46738D -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\AAD2AF89-440E-4426-84E6-C9C0B1\E63B445F-8F29-41C1-8045-B52EA8 -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B3D5AE42-E2D2-4C6F-B93B-5DAE73\561D9582-F728-4D90-992B-C4CFCF -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\BD1EBF6E-2EC7-4F0D-8FB5-31A0F7\F04F430C-927C-4A3D-BBF6-77EC3B -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\C33CB264-25DE-43C7-B272-8E2E93\E1B62E9C-B7A6-48DB-8FD4-2E0555 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\C59AEED6-093A-4073-ABCA-BB9927\E88485E3-C647-4B04-9F7C-E2F5FC -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\C741DD44-DECA-4A19-A062-D3024C\80D10060-84B9-4555-A40A-D152F8 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\CB669CFE-D2BC-4962-A150-959F66\F234C226-22D6-458E-97AD-8CA246 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\CC63FEEB-D806-41F0-91DF-AF5DC4\3C1D8FA3-7201-41BA-89AF-8BCDF3 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\D6748854-6D45-4998-91C4-3EB98D\C06A72CC-19DB-4CD8-A65B-609262 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\D6748854-6D45-4998-91C4-3EB98D\DC191526-C3B8-479B-979A-FE5569 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\DDB66D23-ED93-4D21-AF45-B06751\45621A62-9832-4325-A1C0-49F5F9 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\DF7C0D70-8B36-4391-B6A0-4E981B\53642ECE-A560-451F-8B19-C5A01E -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\E4EFAF65-2F76-40F1-81B4-D51847\6CFD951E-43EF-43FC-B8BE-E074B8 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\E7BD1BF5-D58F-421A-AE0D-0E6E51\92BB9A2E-5E63-4D75-B9D1-8AA3BF -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\E9AEA248-580C-4CDF-9FB4-8525E1\15DCD788-7860-4D3F-B98B-310636 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\E9AEA248-580C-4CDF-9FB4-8525E1\D7F4B9BA-5E6D-456F-866F-54D145 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\E9AEA248-580C-4CDF-9FB4-8525E1\EDBEF209-F3F8-4139-B293-E4A402 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\E9AEA248-580C-4CDF-9FB4-8525E1\FB21722C-3CC4-4455-B988-767B95 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EA02F719-BF10-4586-879E-FF42C9\29B8B78A-7062-4CBF-95BB-D8002A -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EA205AF5-8F62-4138-9FE1-C92F70\DC7105E5-6753-482B-95F2-A91324 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EF3D2AF0-C20F-4876-8889-94CFFD\D6BD3A8C-4CC0-45ED-8B88-011C5D -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\F228FCDA-DD98-40EB-BE25-188466\F2642856-7F44-4889-9E08-49F3C4 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\F85C23F6-A026-4F77-B4DE-A02708\FC723AA4-EF04-4C44-BE26-D7C55E -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\F877E65B-702A-4FEF-A250-F3348B\A9541358-8F2D-440C-8E9F-8BF9B6 -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> TrojanDropper.VB.cd -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP108\A0002333.exe -> TrojanDownloader.Agent.ae -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP110\A0002342.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP111\A0002359.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP114\A0002415.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP116\A0002455.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP119\A0002544.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP120\A0002565.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP121\A0002567.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP124\A0002598.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP124\A0002651.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP125\A0002662.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP126\A0002681.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP127\A0002704.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP128\A0002725.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP129\A0002728.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP130\A0002754.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP132\A0002799.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP133\A0002814.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP139\A0002850.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP140\A0002919.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP141\A0002930.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP142\A0002951.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP144\A0002957.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP145\A0002977.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP147\A0003040.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP148\A0003057.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP148\A0003058.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP148\A0003072.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP148\A0003075.dll -> Spyware.NoName -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP148\A0003086.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP148\A0003093.exe -> TrojanDropper.Inflator.b -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP149\A0003108.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP149\A0003110.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP149\A0003112.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003117.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003118.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003120.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003413.exe -> TrojanDropper.Inflator.b -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003467.dll -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003470.dll -> Spyware.BiSpy.t -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003471.exe -> Trojan.KeyHost.e -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003472.exe -> TrojanDownloader.Agent.ae -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003473.exe -> TrojanDownloader.Agent.ae -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003474.dll -> Spyware.BiSpy.c -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003476.exe -> Spyware.Ebates.a -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003477.DLL -> Trojan.KeyHost.e -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003478.exe -> TrojanDownloader.Agent.ae -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003479.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003480.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP150\A0003481.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP151\A0003516.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP151\A0003518.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP151\A0003528.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP151\A0003532.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP151\A0003540.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP151\A0003548.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP151\A0003554.exe -> Trojan.Nail -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP151\snapshot\MFEX-5.DAT -> Trojan.Agent.db -> Cleaned with backup
C:\System Volume Information\_restore{B5900582-1901-4F7E-BAFE-8FEB08721D95}\RP151\snapshot\MFEX-94.DAT -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gamebar.dll -> Spyware.MegaSearch.b -> Cleaned with backup
C:\WINDOWS\enhtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\enhuninstall.exe -> Spyware.NoName -> Cleaned with backup
C:\WINDOWS\svcproc.exe -> Trojan.Stervis.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\DrPMon.dll -> Trojan.Agent.db -> Cleaned with backup
C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\xoetgjomfes.exe -> Spyware.BetterInternet -> Cleaned with backup


::Report End


Thanks Again!!!
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
*read post below

Edited by Excal, 30 June 2005 - 06:20 PM.

  • 0

#3
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi grrlpwr,

So we meet again......

I was ready to yell at u!!! lol

I thought this was yours, but I see its not....so your ok ;)

*Edit - Clean out the Quarantine sections of your Virus scanner please

I will have a fix up for you shortly ;)

:tazz:

Excal
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi grrlpwr and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

You must have done a good job in pre cleaning!!


DOWNLOAD PROGRAMS


Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {D6E66235-7AA6-44ED-A06C-6F2033B1D993} - http://146.82.109.20...tion/msiein.cab


7. click the Fix Checked box

8. Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Ebates_MoeMoneyMaker

9. Please remove the following folders using Windows Explorer (if present):

C:\Program Files\Ebates_MoeMoneyMaker

10. Open up Ewido and do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK


11. Run the program CleanUp!

12. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

13. Please post the Active scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#5
grrlpwr

grrlpwr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Excal,
Yay! Glad I got you as my helper again! I have done all you asked, except I cannot delete the quarantined files in my Norton antivirus. It denies me permission, which is a bit weird.

I also could not, after 3 tries, download ActiveScan. So, I went ahead and did everything else except those two things.

Here is the new HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:50 AM, on 7/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 7.0\aoltray.exe
C:\Program Files\Java\jre1.5.0\bin\jucheck.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120173946718
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hope it is all gone!! And the computer is running faster.

grrlpwr
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Before I can check anymore for you, The next step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time. Click here: http://www.microsoft...p1/default.mspx Apply the update, reboot, and post a fresh Hijack This log.


Thanks,

:tazz:

Excal
  • 0

#7
grrlpwr

grrlpwr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Actually, I did do the patch last night as recommended. I made sure I did the sp1 patch, not the sp2 patch since that was not recommended if you still have malware- does it not show up in the HijackThis scan?
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Right now it doesnt showup that u have SP1, try one more time.



Excal
  • 0

#9
grrlpwr

grrlpwr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Hi,
Here is my latest HijackThis log, after downloading Windows SP1. I still have had no luck running an ActiveScan. I think there is a problem with their website. Needless to say, I am a tad frustrated.

Thanks for your patience.....


Logfile of HijackThis v1.99.1
Scan saved at 4:03:31 PM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Camio Viewer.lnk = C:\Program Files\Dell Computer\Dell Image Expert\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120173946718
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.googl...gleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Well you hijack this log looks really clean, which is good.


Try this scan:

Kaspersky
  • 0

Advertisements


#11
grrlpwr

grrlpwr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Okay, I wil try that scan. The only weird thing is, now that I have applied the Windows SP1, it seems like the computer is running realy slow- do I now need to go and apply the SP3 that is out there too, if there is no malware on the computer?

sorry for all the questions, it just seems a bit baffling.

grrlwpr
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Don't appy SP2, yet. Lets make sure you are all cleaned out first.

If that online scan doesnt' work, let try this downloadable one:

Download Escan: http://www.mwti.net/...e_utilities.asp
Better to disable your own virusscanner while performing the next scan.

In scan-options, check everything.
also, scan all files
When done, click scan.

When the scan is done, you'll get an option to make a log. You'll get a long log.
Open that log and copy and paste all the lines/files where it says 'infected' in your next reply.

Don't copy and paste the lines from infected files that are present in recovery or backupfolders from antispywarescanner (eg adaware, spybot s&d) or your virusscanner. Those I don't need.
I don't need the infected files/lines that are present in your System Volume Information-folder.
I just want all the other infected ones apart from those above.
  • 0

#13
grrlpwr

grrlpwr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Okay, now the computer is running even worse than it was before. I downloaded Kapersky and tried to run it and it took forever to download and then after over an hour, still had only scanned a small portion of the computer.

I ended up leaving it running (because there is only so much time I will spend at the office on a long weekend) and it still didn't finish.

Now, it takes about 3-5 minutes to open any program on the computer. I am going to uninstall Kapersky because I am afraid it is interacting badly with the other programs on the computer. Is there any scans I can do that don't include downloading to see what is going on? The downloading is taking forever each time as well, which is weird because we have a T1 line.

grrlpwr
  • 0

#14
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Hello grrlpwr,
Excal is having problems with his Internet so I am taking over for him :tazz:

Actually, Kaspersky won't interfere with anything because it's not an on-computer scan - it is an online scan (yes, you download components but it's not like an actual virus scan such as Norton).

Anyway, please go here:
http://uk.trendmicro...call_launch.php

Click "Check my PC now"
On the next screen after a few seconds, let me know if anything has a red X next to it and which item.
If they are all green, read the agreement. If you agree with it, click the box next to "I agree", then click continue with next step. Follow the rest of the instructions. If it gives the option for "Auto-Clean" please put a check next to it. If anything is found please post the results here for me.
  • 0

#15
grrlpwr

grrlpwr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
thanks for taking over! I was able to get the computer working normally again yesterday and was finally able to run Panda's Active Scan on it. I also ran Trend Housecall.

Here is the Active Scan report:


Incident Status Location

Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\satmat.ini
Virus:W32/Bagle.CA.worm Disinfected Personal Folders\Deleted Items\Fairy_tale.zip[123456.exe]
Virus:Trj/Mitglieder.DC Disinfected Personal Folders\Deleted Items\5.zip[16_05_2005.exe]
Virus:W32/Gaobot.JJ.worm Disinfected Personal Folders\Deleted Items\Your password has been updated\updated-password.zip[updated-password.htm .exe]
Virus:W32/Gaobot.JJ.worm Disinfected Personal Folders\Deleted Items\Your password has been successfully updated\updated-password.zip[updated-password.doc .scr]
Virus:W32/Gaobot.JJ.worm Disinfected Personal Folders\Deleted Items\MMEJYOLTEB\important-details.zip[important-details.htm .pif]
Virus:W32/Gaobot.JJ.worm Disinfected Personal Folders\Deleted Items\Warning Message: Your services near to be closed.\account-details.zip[account-details.doc .scr]
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Virus:W32/Gaobot.JJ.worm Disinfected Local Folders\Deleted Items\MMEJYOLTEB\[important-details.zip][important-details.htm .pif]
Virus:W32/Bagle.CA.worm Disinfected Local Folders\Deleted Items\[Fairy_tale.zip][123456.exe]
Virus:Trj/Mitglieder.DC Disinfected Local Folders\Deleted Items\[5.zip][16_05_2005.exe]
Virus:W32/Gaobot.JJ.worm Disinfected Local Folders\Deleted Items\Your password has been updated\[updated-password.zip][updated-password.htm .exe]
Virus:W32/Gaobot.JJ.worm Disinfected Local Folders\Deleted Items\Your password has been successfully updated\[updated-password.zip][updated-password.doc .scr]
Virus:W32/Gaobot.JJ.worm Disinfected Local Folders\Deleted Items\Warning Message: Your services near to be closed.\[account-details.zip][account-details.doc .scr]


thanks!! grrlpwr
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP