Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware infection? [RESOLVED]


  • This topic is locked This topic is locked

#1
k8yse

k8yse

    Member

  • Member
  • PipPip
  • 61 posts
I have run through all of the pre-posting steps and removed a lot of stuff. Ran Cleanup, Adaware, Spybot, CWShredder, Housecall, Ewido and Norton antivirus scan which is installed on the computer. Popups seem to be gone or minimized, however, whatever was on the computer stopped Norton from installing virus definition updates after 6/3/2005. Program and virus definitions download and program updates install ok, however, although virus defs are downloaded, they fail to install. I reinstalled Liveupdate but still have the problem. When the computer boots, NAV autoprotect is always turned off. If you turn it back on, it may stay on for awhile and then turn off by itself. It seems something is trying to defeat NAV. This is a winxp home machine; service pack 2 is not installed. I didn't want to install any updates when the malware might still be on here. The machine has always been behind a router firewall. Norton has always been active and up-to-date until the problem after 6/3/2005. Originally, spybot would stop responding when it tried to fix problems, but after running it several times and doing the other steps, it was able to get through and defeat all problems that it found. Latest versions of all programs were used.

Here's the Hijackthis log. Hope someone can help me find the residue that is defeating NAV. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 11:02:46 AM, on 7/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\odgcsu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\System32\accwiz.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Internet Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.usatoday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://store.presari...ir2.dll?s=consu

merfav&c=2c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://store.presari...ir2.dll?s=consu

merfav&c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft

Internet Explorer provided by Compaq
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program

Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program

Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update

Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common

Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button

Support\StartEAK.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe"

-servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton

SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe

/logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]

C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec

Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [odgcsu] c:\windows\system32\odgcsu.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq

Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money

Express.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MBKWBarManager] C:\Program Files\MBKWBar\TManager.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
O4 - Startup: 12Ghosts Popup-Killer.lnk = ?
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer

OneTouch\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} -

C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login -

{2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program

Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -

{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program

Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} -

C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} -

C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} -

c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} -

file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file

missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF:

START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storered

ir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} -

ms-its:mhtml:file://C:\ss.MHT!http://webair6.acces...//chm.chm::/fil

es/initial.cab
O16 - DPF: {FE1A240F-B247-4E06-A600-30E28F5AF3A0} - file://C:\install.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program

Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation -

C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner -

C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec

Corporation - C:\Program Files\Norton SystemWorks\Norton

Utilities\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. -

C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation -

C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America

Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program

Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi again John welcome back,

Could you post back an updated HJT log please,
When Notepad is open could you co to Edit and make sure WordWrap is unchecked please
  • 0

#3
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Hi again,

This is my other daughter's computer which is a Compaq desktop.

Some other things have been noted since my original post. I waited until now to post them because I didn't want to reply until somebody was working with me.

Something is happening with Outlook that creates multiple copies of ads coming in as email. They seem to occur after the regular email download. You hit the send/receive and a message will pop in and it will appear several times in the message listing. You keep hitting the send/receive and more will come in. Sometimes it's two copies, sometimes it could be 8 copies of the same message with the same date/time stamp. It almost looks like there is another engine that is retreiving mail from these ad sites and piping them into Outlook multiple times.

I keep removing BetterInternet with Norton, Ewido etc. and I downloaded the fix from Norton but it keeps coming back when I scan again. I have run Panda's scan twice now and I'll post the results first and then the latest Hijack this.

There must be a lot of stuff imbedded in here that I'm not getting rid of with spybot, adaware, ewido, norton and panda.

You must be very busy with fixing everyone's problems. But I do really appreciate the time and effort that you expend. Thank you very much for doing this.

Here's the first and second Panda scan:

Incident Status Location

Adware:Adware/Twain-Tech No disinfected C:\windows\system32\odgcsu.exe
Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Adware:Adware/Twain-Tech No disinfected c:\windows\system32\odgcsu.exe
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/nCase No disinfected C:\WINDOWS\System32\FLEOK
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\stwsi
Adware:Adware/KeenValue No disinfected C:\WINDOWS\System32\drivers\etc\hosts.bho
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\Ed\Start Menu\Programs\AdDestroyer
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\System32\InnerVBInstall.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\satmat.ini
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\System32\fiz1
Adware:Adware/Transponder No disinfected C:\DOCUME~1\Ed\LOCALS~1\Temp\DrTemp
Adware:Adware/MBKWBar No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Kazaa\bdcore.dll
Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERADINSTALL.LOG
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERVBINSTALL.LOG
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\system32\odgcsu.exe
------------------------------------------------------------------------------------

Incident Status Location

Adware:Adware/Twain-Tech No disinfected C:\windows\system32\odgcsu.exe
Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Adware:Adware/Twain-Tech No disinfected c:\windows\system32\odgcsu.exe
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/nCase No disinfected C:\WINDOWS\System32\FLEOK
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\stwsi
Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\WINDOWS\System32\drivers\etc\hosts.bho
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\Ed\Start Menu\Programs\AdDestroyer
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\System32\InnerVBInstall.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/Startpage.GX No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\satmat.ini
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\System32\fiz1
Adware:Adware/Transponder No disinfected C:\DOCUME~1\Ed\LOCALS~1\Temp\DrTemp
Adware:Adware/MBKWBar No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Ed\Local Settings\Temp\DrTemp\ceres.cab
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Ed\Local Settings\Temp\DrTemp\ceres.cab[ceres.inf]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Ed\Local Settings\Temp\DrTemp\ceres.cab[ceres.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\7W1V6GQZ\ceres[1].cab
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\7W1V6GQZ\ceres[1].cab[ceres.inf]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\7W1V6GQZ\ceres[1].cab[ceres.dll]
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Kazaa\bdcore.dll
Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\satmat.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERADINSTALL.LOG
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERVBINSTALL.LOG
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\system32\odgcsu.exe
Incident Status Location

Adware:Adware/Twain-Tech No disinfected C:\windows\system32\odgcsu.exe
Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Adware:Adware/Twain-Tech No disinfected c:\windows\system32\odgcsu.exe
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/nCase No disinfected C:\WINDOWS\System32\FLEOK
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\stwsi
Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\WINDOWS\System32\drivers\etc\hosts.bho
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\Ed\Start Menu\Programs\AdDestroyer
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\System32\InnerVBInstall.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/Startpage.GX No disinfected Windows Registry
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\satmat.ini
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\System32\fiz1
Adware:Adware/Transponder No disinfected C:\DOCUME~1\Ed\LOCALS~1\Temp\DrTemp
Adware:Adware/MBKWBar No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Ed\Local Settings\Temp\DrTemp\ceres.cab
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Ed\Local Settings\Temp\DrTemp\ceres.cab[ceres.inf]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Ed\Local Settings\Temp\DrTemp\ceres.cab[ceres.dll]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\7W1V6GQZ\ceres[1].cab
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\7W1V6GQZ\ceres[1].cab[ceres.inf]
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\7W1V6GQZ\ceres[1].cab[ceres.dll]
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Kazaa\bdcore.dll
Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\satmat.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERADINSTALL.LOG
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERVBINSTALL.LOG
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\system32\odgcsu.exe
-----------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:22:17 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\odgcsu.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\System32\accwiz.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Internet Downloads\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...&c=1c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [odgcsu] c:\windows\system32\odgcsu.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [MBKWBarManager] C:\Program Files\MBKWBar\TManager.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
O4 - Startup: 12Ghosts Popup-Killer.lnk = ?
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
OK John lets do a few things here please,

Open up Ad-aware check for updates, current definitions should be 7-7-05,
Close out Ad-aware,

Please download Download CCleaner and install. Close out the program when it has completed set up (Don't run it yet we will use it later on)
  • Download CWShredder (there is a link in my signature), unzip it, and save it on the Desktop.Check it for updates.
  • Run CWShredder be sure and click the " fix" button.



  • Please set your system to show
    all files; please see here if you're unsure how to do this.





  • Close all programs leaving only HijackThis running. Place a check against each of the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R3 - Default URLSearchHook is missing
    O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
    O4 - HKLM\..\Run: [odgcsu] c:\windows\system32\odgcsu.exe
    O4 - HKCU\..\Run: [MBKWBarManager] C:\Program Files\MBKWBar\TManager.exe


    Click on Fix Checked when finished and exit HijackThis.




  • Reboot into Safe Mode: please see here if you are not sure how to do this.


    Using Windows Explorer, locate the following files/folders, and delete them:

    c:\windows\system32\odgcsu.exe
    C:\Program Files\MBKWBar\<--Delete folder


    Exit Explorer,
  • While still in safe mode,

    Please run CCleaner to assist in this process.
    (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

    * C:\Windows\Temp\
    * C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
    * C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
    * C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
    * C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
    * Empty your "Recycle Bin".

  • Run a scan with Ad-aware and have it fix all it finds.
Reboot to normal mode,

Run a scan with Active again please,


Post back a fresh HijackThis log. fresh Active scan log and we will take another look.
  • 0

#5
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Hi again,

Adaware updated to 7/7/2005 definitions, originally had 6/30/2005.
Did not run the program.

Ccleaner installed but not run.

CWShredder already installed, latest update. Ran and found/fixed nothing.

Fixed problems using hijack this.

Rebooted into safe mode.

odgcsu.exe was not in the system32 folder (all files visible)
deleted the MBK folder in Program Files

Ran Ccleaner and lots of files were removed. recycle bin was empty.

Ran adaware, found 11 problems, all fixed.

Rebooted, NAV autoprotect still not enabled. Ewido did not appear
in the toolbar as well.

Enabled NAV autoprotect but sometime after that, it turned off again.

Panda Activescan:


Incident Status Location

Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/nCase No disinfected C:\WINDOWS\System32\FLEOK
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\stwsi
Adware:Adware/KeenValue No disinfected C:\WINDOWS\System32\drivers\etc\hosts.bho
Adware:Adware/AdDestroyer No disinfected C:\Documents and Settings\Ed\Start Menu\Programs\AdDestroyer
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\System32\InnerVBInstall.log
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\satmat.ini
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\System32\fiz1
Adware:Adware/MBKWBar No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Kazaa\bdcore.dll
Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\inf\satmat.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\satmat.ini
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERADINSTALL.LOG
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERVBINSTALL.LOG
Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 6:34:42 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\RealVNC\WinVNC\WinVNC.exe
C:\Program Files\ICQ\ICQ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Internet Downloads\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.usatoday.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presari...&c=2c02&lc=0409
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://store.presari...&c=1c02&lc=0409
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\ICQ.exe -trayboot
O4 - Startup: 12Ghosts Popup-Killer.lnk = ?
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

Thanks again.

John
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets try something here John (Sorry for the late reply )

Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0

#7
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Spysweeper Log:

********
10:04 PM: |··· Start of Session, Tuesday, July 12, 2005 ···|
10:04 PM: Spy Sweeper started
10:04 PM: Sweep initiated using definitions version 504
10:04 PM: Starting Memory Sweep
10:06 PM: Memory Sweep Complete, Elapsed Time: 00:02:03
10:06 PM: Starting Registry Sweep
10:06 PM: Found Adware: ebates money maker
10:06 PM: HKU\S-1-5-21-670770235-801667920-1850456698-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 4292165)
10:06 PM: Found Adware: drsnsrch.com hijacker
10:06 PM: HKU\S-1-5-21-670770235-801667920-1850456698-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 4294809)
10:06 PM: Found Adware: ietoolbar
10:06 PM: HKLM\software\classes\typelib\{4a7dba74-e729-4ec8-92e2-ffd83921449f}\ (9 subtraces) (ID = 4294850)
10:06 PM: HKU\S-1-5-21-670770235-801667920-1850456698-1006\software\mbkwbar\ (3 subtraces) (ID = 4294852)
10:06 PM: HKLM\software\mbkwbar\ (1 subtraces) (ID = 4294853)
10:06 PM: HKLM\software\microsoft\windows\currentversion\uninstall\microbuddy\ (3 subtraces) (ID = 4294861)
10:06 PM: HKCR\typelib\{4a7dba74-e729-4ec8-92e2-ffd83921449f}\ (9 subtraces) (ID = 4294863)
10:06 PM: Found Adware: ilookup
10:06 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/back.gif\ (2 subtraces) (ID = 4295049)
10:06 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\back.gif (ID = 4295059)
10:06 PM: Registry Sweep Complete, Elapsed Time:00:00:06
10:06 PM: Starting Cookie Sweep
10:06 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:06 PM: Starting File Sweep
10:06 PM: Found Adware: addestroyer
10:06 PM: c:\documents and settings\ed\start menu\programs\addestroyer (ID = 3993523)
10:06 PM: Found Adware: internetoptimizer
10:06 PM: c:\windows\stwsi (1 subtraces) (ID = 4010303)
10:06 PM: Found Adware: 180search assistant
10:06 PM: c:\windows\system32\fleok (1 subtraces) (ID = 4017640)
10:08 PM: inneradinstall.log (ID = 3993515)
10:08 PM: Found Adware: virtualbouncer
10:08 PM: innervbinstall.log (ID = 4031442)
10:09 PM: Found Adware: abetterinternet
10:09 PM: 00243819.exe (ID = 4032389)
10:10 PM: 00244640.exe (ID = 4032113)
10:10 PM: abiuninst.htm (ID = 4031749)
10:10 PM: 00243826.dll (ID = 4031912)
10:10 PM: Found Adware: statblaster
10:10 PM: msview.ini (ID = 4025228)
10:10 PM: Warning: Failed to read file "c:\documents and settings\ed\local settings\temp\~dfe47e.tmp". System Error. Code: 2.
The system cannot find the file specified
10:10 PM: Warning: Failed to read file "c:\documents and settings\ed\local settings\temp\~dff504.tmp". System Error. Code: 2.
The system cannot find the file specified
10:10 PM: msvini.inf (ID = 4025230)
10:10 PM: 00243831.inf (ID = 4031915)
10:10 PM: alchem.inf (ID = 4031772)
10:10 PM: Found Adware: twain-tech
10:10 PM: polmx.inf (ID = 4030416)
10:10 PM: satmat.ini (ID = 4032191)
10:10 PM: satmat.inf (ID = 4032190)
10:10 PM: File Sweep Complete, Elapsed Time: 00:04:01
10:10 PM: Full Sweep has completed. Elapsed time 00:06:14
10:10 PM: Traces Found: 54
10:53 PM: Removal process initiated
10:53 PM: Quarantining All Traces: ebates money maker
10:53 PM: Quarantining All Traces: drsnsrch.com hijacker
10:53 PM: Quarantining All Traces: ietoolbar
10:53 PM: Quarantining All Traces: ilookup
10:53 PM: Quarantining All Traces: addestroyer
10:53 PM: Quarantining All Traces: internetoptimizer
10:53 PM: Quarantining All Traces: 180search assistant
10:53 PM: Quarantining All Traces: virtualbouncer
10:53 PM: Quarantining All Traces: abetterinternet
10:53 PM: Quarantining All Traces: statblaster
10:53 PM: Quarantining All Traces: twain-tech
10:53 PM: Removal process completed. Elapsed time 00:00:08
********
10:03 PM: |··· Start of Session, Tuesday, July 12, 2005 ···|
10:03 PM: Spy Sweeper started
10:03 PM: Messenger service has been disabled.
10:04 PM: |··· End of Session, Tuesday, July 12, 2005 ···|

Ewido doesn't launch anymore. Something must have happened to it but it's almost at the end of the trial period anyway.

Thanks.

John
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi John,
Go ahead and uninstall Ewido, Could you please run another scan with Active and post back what it finds please,
  • 0

#9
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Ewido removed except for log and quarantine files.

Here's the Panda Activescan:


Incident Status Location

Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/KeenValue No disinfected C:\WINDOWS\System32\drivers\etc\hosts.bho
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\System32\fiz1
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/BrilliantDigitalNo disinfected C:\Program Files\Kazaa\bdcore.dll
Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Thanks.

John
  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
*Please open notepad and save these instructions, Name it something you will remember
*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\alchem.??? 
C:\WINDOWS\System32\fiz1 
C:\GatorPatch.log 
C:\Program Files\Kazaa\bdcore.dll 
C:\WINDOWS\alchem.ini 
C:\WINDOWS\system32\drivers\etc\hosts.bho 
C:\WINDOWS\system32\fiz1

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.


Run another scan with Active and post back the results please
  • 0

Advertisements


#11
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Here's the scan:


Incident Status Location

Adware:Adware/Yahoo No disinfected C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
Looks like we are getting better.

Norton still comes up in the non-autoprotect mode. Still can't update the def's.

Haven't tried the email yet to see if the ads keep repeating.

Thanks.

John
  • 0

#12
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
This seems odd lets get a second opinion on this
Please go Here
Click the Browse button and navigate to this
C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll

Once found click the Submit button, It will scan and on the lower part of the page will post info in regards to the file,
Please post it back to this topic please,

Is Nortons giving any error messages ?
  • 0

#13
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Here's the scan result:

Last file scanned at least one scanner reported something about: probably unknown NewHeur_PE in IEXPL0RER.exe, detected by:


Scanner Malware name
AntiVir X
ArcaVir X
Avast X
AVG Antivirus X
BitDefender X
ClamAV X
Dr.Web modification of BackDoor.Generic.815
F-Prot Antivirus X
Fortinet X
Kaspersky Anti-Virus Backdoor.Win32.VB.agh
NOD32 probably unknown NewHeur_PE
Norman Virus Control X
UNA X
VBA32 X

Norton will still not install the updated virus definitions although it will install client updates etc. Norton does not come up in autoprotect on bootup but if you wait
until the machine fully loads, you can activate the auto-protect and it usually
stays in the autoprotect mode.

I have not tested outlook to see if it returns ad type messages in duplicate.

Thanks.

John
  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi John,
I having a tough time thinking this is infected,
Lets try another online scan Kaspersky OnLine Scan

Regrading Norton I m thinking it may be a setting within the program, Sorry I removed Nortons quite sometime ago, So I m no help in that department
  • 0

#15
k8yse

k8yse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Here's what Kaspersky said about the file:


Attention!
Kaspersky Anti-Virus has detected a virus in the file you have submitted.

We suggest that you consider:

Reading about the virus/viruses in our Virus Encyclopedia

Downloading a trial version of Kaspersky Anti-Virus

Purchasing a copy of Kaspersky Anti-Virus in our E-Store

Purchasing Kaspersky Anti-Virus from a certified partner


Scanned file: ycomp5_0_2_7.dll

ycomp5_0_2_7.dll - infected by not-a-virus:AdWare.ToolBar.Yahoo


Statistics:
Known viruses: 138355 Updated: 15-07-2005
File size (Kb): 183 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0

----------------------------------------
As far as Norton goes, I can install 2005. The current version expires in
September anyway so probably that will work.

Should I check the email to see if we still have this strange multi-message problem?

Thanks.

John
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP