[andyy]

I've completed step 1 and step 2.
However, when I go into Control Panel>Network Connections while in safe mode, there is nothing there, no icons at all. When I reboot to normal mode the icons are there, but when I reboot back into safe mode, they are still not there.

Should I complete step 3 in normal mode? If so, should I then go back into Safe Mode for step 4?

Thanks,
-Andy

[Advertisements]

Should I complete step 3 in normal mode?

Yes

[Excal]

Should I complete step 3 in normal mode?

Yes

[andyy]

OK here we go...

This HJT log was just created after getting online to send this post. As you can see an 017 came back. In step 4 of your instructions I found no 017 to fix. I looked in safe and normal mode. I'm feeling hopeful, let me know what all this means!?!?!

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 9:40:34 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Andy's Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O8 - Extra context menu item: &Copy Location - C:\WINDOWS\WEB\graburl.htm
O9 - Extra button: (no name) - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to R&estricted Zone - {B06300D0-CCDE-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: (no name) - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra 'Tools' menuitem: Add to Tr&usted Zone - {BF80219A-CCDD-11d2-92D3-0000F87A4A55} - C:\WINDOWS\System32\webzone.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Offline - {FC09D8A3-C85A-11d2-92D0-0000F87A4A55} - C:\WINDOWS\System32\oline.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{94DA7127-4609-4910-A5C0-09F2371F7E95}: NameServer = 206.141.192.60 206.141.193.55
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

here's the Ewido scan log. It cleaned 34 infected objects, some of which were ones that Norton was unable to get rid of.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:26:19 PM, 7/25/2005
+ Report-Checksum: E0094DAD

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{EE6AE627-8F18-4986-BEAD-52073EDFC776} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\XParam.XParamObj -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\XParam.XParamObj\CLSID -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\XParam.XParamObj\CurVer -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/istactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-2000478354-507921405-1060284298-1004\Software\WareOut -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-2000478354-507921405-1060284298-1004\Software\WareOut\Options -> TrojanDownloader.Wareout : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx -> Spyware.MediaTickets : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_29.exe -> TrojanDownloader.Mediket.ae : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP116\A0026343.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP116\A0026344.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027878.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027879.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027881.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0027882.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028555.exe -> TrojanDropper.Vidro.p : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028556.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028557.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028558.dll -> Spyware.Zbar : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028559.dll -> TrojanSpy.Agent.am : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028560.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028572.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028573.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028574.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028575.dll -> TrojanDownloader.Agent.pi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028576.dll -> TrojanDownloader.Small.bdh : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028577.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028578.dll -> Spyware.SBSoft : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028579.dll -> Spyware.Banex : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP117\A0028582.exe -> TrojanDownloader.IstBar.gi : Cleaned with backup
C:\System Volume Information\_restore{80751F23-9ECB-4B3F-9BEF-1C1D72300E32}\RP120\A0028637.dll -> Spyware.Zbar : Cleaned with backup
C:\Andy's Files\backups\backup-20050706-092156-829.dll -> Spyware.180Solutions : Cleaned with backup
C:\Andy's Files\backups\backup-20050711-114008-280.dll -> Spyware.WinAD : Cleaned with backup


::Report End


Here's the log.txt from remv3:

The batch is run from -- C:\Andy's Files\remv3 folder

Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
Volume in drive C has no label.
Volume Serial Number is 386A-10DA

Directory of C:\WINDOWS\SYSTEM32

msi.dll
Finished

[Excal]

Anddy,

Who do you have for an ISP... Please tell me sbcglobal.net.


Thanks,


Tom

[andyy]

Yes, sbcglobal.net. Why?

[Excal]

Well my friend, that O17 is legit its from sbcglobal.net.

But lets see how it goes, give it a day. otherwise we will go crazy...if it comes back



Excal

[andyy]

I will try my friend's blog site to see if I still get pop-ups. I'm going to wait til tomorrow though. I might as well go to sleep on a good note!!
-Andy

[Excal]

LMAO!! Ok, see u tommorrow.



Tom

[andyy]

I just did a Norton virus scan (Ewido keeps freezing up on me) and it found this trojan:

ied s7 c 7.exe

Norton says it can't remove the file.
I did a windows search which found 2 cab's with this name.
Should I delete these myself?

-Andy

[Excal]

Andyy,

I am not sure what that is, but I doesn't look legit. Looks like its some sort of ringtone download or something? I would delete it.



TOm

[andyy]

Oh my frickafrackafrookin god,

The computer just passed the acid test. I went to my friend's blog with no hijacks or pop-ups.

I think it was the most recent Ewido scan you had me do in Safe Mode that found the culprit. And I think it was called either Media ticket or better internet, or something. Those were two infections that Norton couldn't fix that Ewido did.

Anyway, everything looks good at this point.

Mucho thanks Tom,
-Andy

[Excal]

Anddy,

Well I chose not to get excited yet....lol.
Give it a few more days and then we will see

Did you add xtra protection? I gave u a list a while back, but I will post it again so you don't have to look for it...lol


Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected

[Excal]

Andyy,


Been a few days, everything still ok?


Thanks,



Tom

[andyy]

Hey, Thanks for checking in. Everything's still looking great. No Pop-ups. I ran another Norton scan yesterday and no thrats found. Except the lopremover that we pt on the computer. I've made all changes you recommended to increase security. The only thing I might still do is switch from Norton to something else for antivirus. Norton seems to be slowing down the computer.

Thanks,
-Andy

[Excal]

I use AVG free addition and Sygate free firewall and they work great together.

You can delete that lopremover from your computer, and anything else that we downloaded that you don't want.


Tom