Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Need help with log [RESOLVED]


  • This topic is locked This topic is locked

#1
jcrb

jcrb

    New Member

  • Member
  • Pip
  • 7 posts
Could someone please look at my logfile? I ran SpySweeper on my computer and it found a lot spyware files but when I go to delete them they come right back. I also tried deleting the exe files manually but that didn't work. I think the main problem is this cws_ns3 file but I don't know how to get rid of it for good. Any help will be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 5:20:54 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\netcd32.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\STUDMU~1\LOCALS~1\Temp\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {EE35146E-A15F-DDF3-38CA-8A25A2412353} - C:\WINDOWS\system32\appxb32.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [netcd32.exe] C:\WINDOWS\system32\netcd32.exe
O4 - HKLM\..\RunOnce: [mszx.exe] C:\WINDOWS\system32\mszx.exe
O4 - HKLM\..\RunOnce: [addbs.exe] C:\WINDOWS\system32\addbs.exe
O4 - HKLM\..\RunOnce: [winrk.exe] C:\WINDOWS\winrk.exe
O4 - HKLM\..\RunOnce: [crdn.exe] C:\WINDOWS\system32\crdn.exe
O4 - HKLM\..\RunOnce: [d3gs.exe] C:\WINDOWS\d3gs.exe
O4 - HKLM\..\RunOnce: [apitv32.exe] C:\WINDOWS\system32\apitv32.exe
O4 - HKLM\..\RunOnce: [atlpm.exe] C:\WINDOWS\system32\atlpm.exe
O4 - HKLM\..\RunOnce: [d3vp32.exe] C:\WINDOWS\d3vp32.exe
O4 - HKLM\..\RunOnce: [winlq32.exe] C:\WINDOWS\winlq32.exe
O4 - HKLM\..\RunOnce: [addua32.exe] C:\WINDOWS\addua32.exe
O4 - HKLM\..\RunOnce: [mfcxv.exe] C:\WINDOWS\system32\mfcxv.exe
O4 - HKLM\..\RunOnce: [javaae.exe] C:\WINDOWS\javaae.exe
O4 - HKLM\..\RunOnce: [msok32.exe] C:\WINDOWS\system32\msok32.exe
O4 - HKLM\..\RunOnce: [javasg.exe] C:\WINDOWS\javasg.exe
O4 - HKLM\..\RunOnce: [ipwq32.exe] C:\WINDOWS\system32\ipwq32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105903714519
O23 - Service: Network Security Service ( 11F#`I) - Unknown owner - C:\WINDOWS\ipem.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi lcrb and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

1. If you haven't logged in go to Geeks to Go and do so. Then proceed to item a.

If you already have logged in, go directly to item a.

a. Click on My Controls at the top right hand corner of the window.
b. In the left hand column, click "View Topics"
c. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Please DELETE your current HJT program from its present location.

4. Download and run the following HijackThis autoinstall program from Here HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Close ALL windows except HJT

B. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

C. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

  • 0

#3
jcrb

jcrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:29:20 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\netcd32.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
Microsoft Internet Explorer provided by Verizon Online
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Personal Firewall -
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec
Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {EE35146E-A15F-DDF3-38CA-8A25A2412353} -
C:\WINDOWS\system32\appxb32.dll
O3 - Toolbar: &Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
- C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [PrinTray]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common
Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD
Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD
Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge]
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [netcd32.exe] C:\WINDOWS\system32\netcd32.exe
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf
2005\DeleteSatellite.exe"
O4 - HKLM\..\RunOnce: [mszx.exe] C:\WINDOWS\system32\mszx.exe
O4 - HKLM\..\RunOnce: [winrk.exe] C:\WINDOWS\winrk.exe
O4 - HKLM\..\RunOnce: [netat32.exe] C:\WINDOWS\netat32.exe
O4 - HKLM\..\RunOnce: [crnx32.exe] C:\WINDOWS\crnx32.exe
O4 - HKLM\..\RunOnce: [d3un32.exe] C:\WINDOWS\d3un32.exe
O4 - HKLM\..\RunOnce: [ntxy.exe] C:\WINDOWS\ntxy.exe
O4 - HKLM\..\RunOnce: [appcx.exe] C:\WINDOWS\system32\appcx.exe
O4 - HKLM\..\RunOnce: [atlfw32.exe] C:\WINDOWS\atlfw32.exe
O4 - HKLM\..\RunOnce: [mfcld32.exe] C:\WINDOWS\system32\mfcld32.exe
O4 - HKLM\..\RunOnce: [d3tq.exe] C:\WINDOWS\system32\d3tq.exe
O4 - HKLM\..\RunOnce: [msyp.exe] C:\WINDOWS\msyp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program
Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy
Sweeper\SpySweeper.exe" /0
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler
daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program
Files\Verizon Online\bin\matcli.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf
2005\Proxy.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -
C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class)
-
http://v5.windowsupd...b?1105903714519
O23 - Service: Network Security Service ( 11F#`I) - Unknown
owner - C:\WINDOWS\ipem.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation
- C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program
Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) -
Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton
AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -
Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton
AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec
Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec
Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc.
- C:\Program Files\GhostSurf 2005\DeleteSvc.exe
  • 0

#4
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Step#1:Getting Ready

(the reason Wordpad was chosen is that Notepad is sometimes deleted by this variant)


Please save these instructions to WordPad so that you have them accessible while following the steps. You also may want to print out these directions as the Internet will not be available.

After downloading the tools, you must disconnect from the internet totally, because staying connected while fixing will prevent the fix from working. Also please keep Internet Explorer and Outlook Express closed throughout as opening either will reinstall the infection.

To replace Internet Explorer to use during this fix, please use Internet Explorer once to download and install FireFox, to be used as your alternate browser throughout this fix.

Close Outlook Express and Internet Explorer for the duration of this fix

Read through all the instructions so that you can ask any questions now, before you disconnect from the Internet.

Please start by downloading the tools you will need to clean this infection with FireFox. If you have a problem or question with any please continue to follow the list step by step to the end and ask the questions when you are asked to reply. Just be sure to let us know what the problem was when you finally reply.


Step#2:Show All Hidden Files Very Important

Please download and open the following zip file. Double-click on the file inside the zip and when it asks you if you would like to merge the file into your registry, please answer yes. This will make sure all files are visible on your computer.
http://www.davehigha...ds/xphidden.zip


Step#3:Download CWShredder Do Not Use Yet

1. Please Download the most recent version of CWShredder, from CWSInstall.exe

2. Check for Updates but please Do NOT use it yet



Step#4:Download About Buster Do Not Use Yet

1. Please download About:Buster from here: http://www.malwareby...boutBuster5.zip.

2. Once it is downloaded extract it to c:\aboutbuster.

3. Check to make sure it is up-to-date. Please Do NOT use it yet



Step#5:Download Registrar Lite Do Not Use Yet

Another program to download is Registrar Lite for use later: Please download Registrar Lite and install it to C:\Program Files\RegLite\ . This is a registry editor that is very easy to use. Caution should be exercised when editing the registry as it is very easy to render a Computer unbootable by deleting the wrong key



Step#6:Download Ewido Security Suite Only For Windows 2000 and XP Do Not Use Yet
  • Download and install Ewido security suite
  • Right Click on the E icon in your taskbar and open Ewido Security Suite then click update to get the most recent definitions for it to use.
  • When it prompts you to update, click the OK button.
  • download the updates and when they are finished installing, close the window
  • Please Do Not Use It Yet
Step#6:Download A Registry File to Remove Registry Entries Do Not Use Yet
  • Please download the following zip file to your desktop:
    HSfix
  • Double Click on HSfix.zip and it will unzip to a new folder it makes on your desktop, called HSfix
  • Do Not Use It Yet
Please disconnect from the Internet




Step#7:Disable The Bad Service ** Very Important!!**
  • Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE
  • Click on start > control panel > administrative programs > services. Look for a service called Service: Network Security Service ( 11F#`I). Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.
Step#8:Stop The Running Processes

Press control-alt-delete to get into the task manager and end the following processes if they exist:

C:\WINDOWS\system32\netcd32.exe

Step#9:Use HijackThis to Delete About Blank Bad Files

I now need you to delete the following files/folders (with their content):

C:\WINDOWS\system32\netcd32.exe
C:\WINDOWS\system32\sjmsx.dll
C:\WINDOWS\SYSTEM\blank.htm
C:\WINDOWS\system32\appxb32.dll
C:\WINDOWS\system32\mszx.exe
C:\WINDOWS\winrk.exe
C:\WINDOWS\netat32.exe
C:\WINDOWS\crnx32.exe
C:\WINDOWS\d3un32.exe
C:\WINDOWS\ntxy.exe
C:\WINDOWS\system32\appcx.exe
C:\WINDOWS\atlfw32.exe
C:\WINDOWS\system32\mfcld32.exe
C:\WINDOWS\system32\d3tq.exe
C:\WINDOWS\msyp.exe
C:\WINDOWS\ipem.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.



Step#10:Cleaning With HijackThis

Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and click 'fix checked' button when ready (some may be gone after uninstalling some programs):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
= res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
res://C:\WINDOWS\system32\sjmsx.dll/sp.html#24098
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {EE35146E-A15F-DDF3-38CA-8A25A2412353} -
C:\WINDOWS\system32\appxb32.dll
O4 - HKLM\..\Run: [netcd32.exe] C:\WINDOWS\system32\netcd32.exe
O4 - HKLM\..\RunOnce: [mszx.exe] C:\WINDOWS\system32\mszx.exe
O4 - HKLM\..\RunOnce: [winrk.exe] C:\WINDOWS\winrk.exe
O4 - HKLM\..\RunOnce: [netat32.exe] C:\WINDOWS\netat32.exe
O4 - HKLM\..\RunOnce: [crnx32.exe] C:\WINDOWS\crnx32.exe
O4 - HKLM\..\RunOnce: [d3un32.exe] C:\WINDOWS\d3un32.exe
O4 - HKLM\..\RunOnce: [ntxy.exe] C:\WINDOWS\ntxy.exe
O4 - HKLM\..\RunOnce: [appcx.exe] C:\WINDOWS\system32\appcx.exe
O4 - HKLM\..\RunOnce: [atlfw32.exe] C:\WINDOWS\atlfw32.exe
O4 - HKLM\..\RunOnce: [mfcld32.exe] C:\WINDOWS\system32\mfcld32.exe
O4 - HKLM\..\RunOnce: [d3tq.exe] C:\WINDOWS\system32\d3tq.exe
O4 - HKLM\..\RunOnce: [msyp.exe] C:\WINDOWS\msyp.exe
O23 - Service: Network Security Service ( 11F#`I) - Unknown
owner - C:\WINDOWS\ipem.exe (file missing)


click "fix checked" and EXIT HJT.


Step#11: Backup The Registry

In the next step we are going to remove a service that gets installed by this malware.

1. Open Registrar Lite and run it.

2. Copy and paste the bold text below into the address bar of Registrar Lite:(this is making a Registry backup for safety in case of error)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\

Go to File> Export and and save as (in the C:\Program Files\Registrar Lite (Reglite) folder):

1.) Winkey.reg (Save as type: regedit4 .reg type)
2.) Winkey.hiv (Save as type: Scroll to select-regetd32/WinAPI *hiv *dat files)

Step#12: Use the HSfix.reg file
  • Navigate to the HSfix folder on your Desktop
  • Then double-click on the HSfix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
  • if you have a popup from any of your protection programs asking if you want to make a change to the registry, say Yes or Accept it
Step#13:Fixing With CWShredder
  • CLOSE ALL WINDOWS except CWShredder
  • Run the program by clicking 'fix' and letting it fix all CWS remnants.
Step#14:Fixing With About Buster

This is the step where we will use About:Buster that you had downloaded previously.
  • Navigate to the c:\aboutbuster directory
  • double-click on aboutbuster.exe
  • When the tool opens press the OK button, then Start button, then the OK button
  • then finally the Yes button. It will start scanning your computer for files.
  • If it asks if you would like to do a second pass, allow it to do so.
  • Post the log file in your next reply
Step#15:Scan With Ewido Security Suite
  • Run Ewido again:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
  • Post the report in your next post here.
Reboot your computer back to normal mode



Step#16:Scan and Post a New HJT log with other logs
  • Scan again with HijackThis. We still have a few steps to complete but a log file at this time would be helpful.
Reconnect To The Internet
  • Post your logs from About Buster, Ewido Security Suite and your HijackThis log here in this thread with any questions or problems that you have run into.
  • There are still some steps that are necessary to clear out all of the malware. There will be necessary files that it has deleted that will need to be replaced.
Regards,

Trevuren

  • 0

#5
jcrb

jcrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:35:59 AM, on 7/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\RunOnce: [iemz32.exe] C:\WINDOWS\iemz32.exe
O4 - HKLM\..\RunOnce: [cric32.exe] C:\WINDOWS\system32\cric32.exe
O4 - HKLM\..\RunOnce: [apish.exe] C:\WINDOWS\system32\apish.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105903714519
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\GhostSurf 2005\DeleteSvc.exe


AboutBuster 5.0 reference file 28
Scan started on [7/10/2005] at [1:46:27 AM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
Removed File! : C:\Windows\dzoem.dat
Removed File! : C:\Windows\cbquvj.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:47:36 AM

AboutBuster 5.0 reference file 28
Scan started on [7/10/2005] at [1:48:20 AM]
------------------------------------------------
Streams(ADS) not scanned: System not NTFS
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:49:24 AM
---------------------------------------------------------


ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 2:33:08 AM, 7/10/2005
+ Report-Checksum: 2B822B86

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{10D837D7-D6EA-8BCE-37FB-E58A2E09397B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{38D4E2FB-BB30-60CB-0D77-12064B5A0EE4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4095AAF5-BAD2-A97D-D64C-566A52E35C2E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7904D3DD-22E5-C0C1-0648-E66A3897E380} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{826D0369-102B-4A44-F27B-D9DCC50A8EE6} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{841CB982-C366-4290-3F00-95A1A5F3C340} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BCA18F7D-4CAB-D300-286E-432722FFB0FB} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DA826568-8230-C8BC-199C-3E738A0E5A48} -> Spyware.CoolWebSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipoh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apitv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apizl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntuv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipeu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mseo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iegt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\syszg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mseq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winso.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appxu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntae.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netwg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysqb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlnm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netqr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netig32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mssk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javahb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysld.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlfy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mshn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\applh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlln.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\nettg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addbs.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winqm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysda32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntaq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winpl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iehp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipkx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crae.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysei32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3nj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mstf32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfccm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crlm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netkc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlih.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipyw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javawe32.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\SYSTEM32\msqz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipkq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crdn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlpm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdknn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\syscc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apptk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcxv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msok32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipwq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addpj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apiul32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netcr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apima32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysxb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javakd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winwd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appci32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3vz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlqk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winfz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netdu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apiev32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcsr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysxo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msvj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipmq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ieaf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javafh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apptm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apihf32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mspf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcyl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netep32.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\SYSTEM32\javacl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ievl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntml32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysba.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkuz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appnp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iplk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipin.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\msxk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crbm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netgw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addfm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlnc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ntrw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appqj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winng32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crns32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcty.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlcf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iebu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apifm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3od32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkgj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlbm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ipxi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crqj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\netpw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winua32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iepp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appow.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appln.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javalf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mszp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\syssq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atllp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iepb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3zc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3fy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcof.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\adduk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appua.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkgi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3wp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winat32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ieju.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\syspr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\ieef32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\javawm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\applr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apiby.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\cric32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crhk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\wingz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlwp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addrs.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\d3qi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\winjh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addcs32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appci.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iegm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apivr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkoq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\crhj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\iemn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atlqh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfcyn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sdkwt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\addwb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\mfccj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apish.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\apiwm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\appuk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\sysdk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\SYSTEM32\atljk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\dvgtee.txt -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addmv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\vwyhgo.txt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkzu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntuq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3kp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javacn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appro.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlck.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlaa32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiam.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netyh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iepc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcmo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atliy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntgo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlcu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crru32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netzi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appsf32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addut32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crxo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addjx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcta.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ieew.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crak32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3lf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\applz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winrv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crfd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apidn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msup.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\netsg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msvk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apied.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apihv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntaw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3zj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3hk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcwm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkxr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfccb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appua.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javasb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msqi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appar32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addjh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntsi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appmt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntqc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3gs.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winko32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3vp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winlq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addua32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javaae.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javasg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3ia.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winhw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysxr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntwq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syskn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkee32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcja32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apijo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipib.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlbh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crnk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcsu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winfe32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipdp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apism32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msgl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipdk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntaa32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntts32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcga32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addvr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netlf32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javarc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syssz.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiyc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netbz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crmq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msdb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iedj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addut.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apimm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysso.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winxc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iphj.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\apizp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javacb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msna32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syshl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipvq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javalx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdklu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msbb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crxn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiwd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addca.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iemz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipmh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlql.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\windt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msti.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkdb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ieaq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javafc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysjm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javaqk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crho32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javawb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javahb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apimx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netmv.exe -> Trojan.Agent.bi : Cleaned with backup C:\WINDOWS\sdkfx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlnk32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ierg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcms32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\adduc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipek32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3hw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkzv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipou.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc1.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\RECYCLED\Dc2.dll -> Spyware.SearchPage : Cleaned with backup
C:\RECYCLED\Dc3.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\RECYCLED\Dc4.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc5.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc6.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc7.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc8.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc9.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc10.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc11.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc12.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc13.exe -> Trojan.Agent.bi : Cleaned with backup
C:\RECYCLED\Dc14.exe -> Trojan.Agent.bi : Cleaned with backup
C:\Program Files\Common Files\Verizon Online\SFP\vzbb.dll -> Spyware.MegaSearch : Cleaned with backup
C:\Program Files\AlertSpy\SpyWares\spydb.exe -> Spyware.AlexaBar : Cleaned with backup
C:\Program Files\AlertSpy\uninst.exe -> Spyware.AlexaBar : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0023911.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0023995.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0023996.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0023997.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0023998.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0023999.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0024264.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0024317.dll -> Spyware.SearchPage : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0024319.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0024320.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0024321.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP143\A0024322.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP145\A0025213.exe -> Spyware.AlexaBar : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP145\A0025389.exe -> Trojan.Agent.bi : Cleaned with backup
C:\System Volume Information\_restore{92062290-271F-4F43-8824-DF7FB49276CF}\RP145\A0025439.exe -> Trojan.Agent.bi : Cleaned with backup

::Report End
  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
WOW, did that ever clear the tracks !!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Please RUN HijackThis.
. Click the SCAN button to produce a log.

Place a check mark beside each one of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\RunOnce: [iemz32.exe] C:\WINDOWS\iemz32.exe
O4 - HKLM\..\RunOnce: [cric32.exe] C:\WINDOWS\system32\cric32.exe
O4 - HKLM\..\RunOnce: [apish.exe] C:\WINDOWS\system32\apish.exe


Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.


Using Windows Explorer, locate the following files, and DELETE them (if they are present):

C:\WINDOWS\iemz32.exe
C:\WINDOWS\system32\cric32.exe
C:\WINDOWS\system32\apish.exe

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren

  • 0

#7
jcrb

jcrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:18:35 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105903714519
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\GhostSurf 2005\DeleteSvc.exe
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Good Job

1. We must disable Spy Sweeper

To disable SpySweeper:

Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck 'automaticly restore default without notifiction

2. Run Hjt, click SCAN and place a checkmark beside the following items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing


With all windows closed, please click Fix checked and EXIT the program.

3. REBOOT into Safe Mode

4. Using Windows Explorer, locate and DELETE the following file:

C:\WINDOWS\SYSTEM\blank.htm

5. REBOOT back into Normal Mode.

6. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#9
jcrb

jcrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:30:40 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\Program Files\Verizon Online\bin\mpbtn.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dslstart.verizon.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1105903714519
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\GhostSurf 2005\DeleteSvc.exe
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please check to see if you are using a Proxy Server

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212

This probably is due to Ghost Surf,


Trevuren
  • 0

#11
jcrb

jcrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Yes I am
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
1. Right-click "My Computer", and then left click "Properties".
2. Left click on "System Restore Tab"
3. Check box beside "Turn Off System Restore"
4. Left click on "Apply"

TO ENABLE SYSTEM RESTORE
1.Remove check mark from "Turn Off System Restore"
2.Click on "Apply"

2. Cleanup the leftovers. Download CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.


3. Finally, Re-hide your System Files and Folders to prevent any future accidents.


Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
To protect yourself further:
  • Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

  • 0

#13
jcrb

jcrb

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thank you for all your help. I really appreciate it.
  • 0

#14
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
My pleasure to have had the chance to help

Trevuren
  • 0

#15
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP