Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SearchClick that won't go away

Started by rghall , Jul 11 2005 09:21 AM

  • Please log in to reply

#1
rghall
Posted 11 July 2005 - 09:21 AM

rghall

    New Member

  • Member
  • Pip
  • 3 posts
Very frustrated here, this bug just won't go away.

Symptoms: Internet Explorer not running; application flashes a window then goes away. When this happens McAffee virusscan reports Startpage-DU.dll virus.

After a few minutes, a pop-up window appears with the following message:

"WARNING: Windows Firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.

Do you want to learn how to protect your computer?"

Also a small icon appears on the taskbar, its in the shape of a red shied with a small white X in the middle. Clicking on it takes me to an undisclosed website with the title "PC Protection Center"


Activities:

If I run a full virus scan, no virus are found, but an additional number of new startup files are identified. I use Startup Inspector to clean unwanted startups. Spybot is running clean and Adaware is running clean.

Searching through my Index.dat file I see references to searchclick.cc.com.

None of the 'big boys' seem to know how to get rid of this problem and restore IE. Here's what I've done after reading through a few of your message postings:

1. Run Aboutbuster
2. Run CWShredder
3. Run CleanUp!
4. Reboot and run HijackThis

Following is the dump from the latest HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 10:51:03 AM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\WINDOWS\msiv32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {B78818A4-391C-B2E4-82F9-7AF759353A1C} - C:\WINDOWS\ipdc32.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [msiv32.exe] C:\WINDOWS\msiv32.exe
O4 - HKLM\..\RunOnce: [atluc32.exe] C:\WINDOWS\system32\atluc32.exe
O4 - HKLM\..\RunOnce: [winvz32.exe] C:\WINDOWS\system32\winvz32.exe
O4 - HKLM\..\RunOnce: [netxd32.exe] C:\WINDOWS\system32\netxd32.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?307
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winlu.exe (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Gentlemen,

I've been fighting this bug for days now, I can't get rid of it. Please assist. Thank you ...Ray

Attached Files


  • 0

Advertisements

#2
rghall
Posted 11 July 2005 - 09:24 AM

rghall

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Correction,

Adaware does keep finding a registry key for Cool Web Search. Hope this helps ...Ray
  • 0

#3
Wizard
Posted 11 July 2005 - 09:53 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi rghall and Welcome to GeekstoGo

Make sure Ad Aware-> AboutBuster and CWShredder are Updated!

Download Pocket KillBox from here:
http://www.bleepingc...les/killbox.php
There is a Direct Download and a description of what the Program does inside this link.


Click Start-> Run-> Type in Services.msc and Click OK!

Scroll that list and locate this entry

Workstation NetLogon Service

Make sure the name is just as it appears above,once located,Right Click and Select Properties-> Click Stop-> Go up and Change the Startup Type to Disabled!

Exit the Services Page and Close out All other Windows and Browsers

Open up Killbox,Copy&Paste each of the entries below into Killbox and use the Instructions that Follow!

C:\WINDOWS\winlu.exe
C:\WINDOWS\msiv32.exe
C:\WINDOWS\ipdc32.dll
C:\WINDOWS\system32\atluc32.exe
C:\WINDOWS\system32\winvz32.exe
C:\WINDOWS\system32\netxd32.exe

As you enter each-> Place a Tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!

Click "Yes" to Confirm

Click "No" to Reboot

Once at the last file

Click "Yes" to Confirm

Click "Yes" to Reboot


If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.


Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingc...showtutorial=62


Run those files through Killbox again to be sure none are left,this time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Open Up About Buster and Continue to Scan with it until you get these results

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Run CWShredder

Click "Fix ->" and click "x" at the prompt.
CWShredder will scan and clean your system of CWS files.
Click "[/B]Next->" and then "Exit"


Run Ad Aware->Delete all it finds-> Delete all Quaratine Files-> Exit Ad Aware

Run CleanUp!

Click on the "CleanUp" Tab and let it do its thing-> When Prompted to Log Off Click "No"

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {B78818A4-391C-B2E4-82F9-7AF759353A1C} - C:\WINDOWS\ipdc32.dll

O4 - HKLM\..\Run: [msiv32.exe] C:\WINDOWS\msiv32.exe

O4 - HKLM\..\RunOnce: [atluc32.exe] C:\WINDOWS\system32\atluc32.exe

O4 - HKLM\..\RunOnce: [winvz32.exe] C:\WINDOWS\system32\winvz32.exe

O4 - HKLM\..\RunOnce: [netxd32.exe] C:\WINDOWS\system32\netxd32.exe

O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\winlu.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Restart in Normal Mode and Have the PC scanned here:
http://www.pandasoft...n_principal.htm

Save the Report it Generates!

Post back with a fresh HijackThis log and the Report from Panda!

Try not to Restart after the Panda Scan until I can have a look!
  • 0

#4
rghall
Posted 12 July 2005 - 02:57 AM

rghall

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thank you,

Disabling the Workstation Netlogon Service seemed to be the key to killing the infection. Attached is the Panda log and the Hijachthis log. I will be investigating this Panda software, as it seems to be catching more than the McAffee toolset.

Please let me know if there are any other tools you recommend to help keep my system clean (and how I can send you a few $ in thanks for your quick response). I am especially interested in anti-spamware that not only stops the spam, but informs the source ISP (I get 100's of spams a day) ...Ray

----------

Logfile of HijackThis v1.99.1
Scan saved at 4:40:16 AM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\program files\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [msiv32.exe] C:\WINDOWS\msiv32.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) -

http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -

http://h30043.www3.h.../qdiagh.cab?307
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program

Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Iomega App Services - Iomega Corporation -

C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner -

c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc -

C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc -

c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. -

C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program

Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation -

C:\Program Files\Iomega\AutoDisk\ADService.exe

----------


Incident Status Location

Virus:W32/Mydoom.AI.worm Disinfected C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Backup\20050529-103850\Users\1\Front\1\M0000000273.msg[body.screply to this email (7.51 KB)]
Virus:W32/Mydoom.AI.worm Disinfected C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Users\1\Front\1\M0000000273.msg[body.screply to this email (7.51 KB)]
Virus:W32/Faribot.A.worm Disinfected C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Users\1\Front\1\M0000001890.msg[text.scr36.6 KB)]
Virus:W32/Mytob.AS.worm Disinfected C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Users\1\Front\1\M0000003367.eml[~000000.@x@][~000000.dat]
Virus:W32/Mytob.V.worm Disinfected C:\Documents and Settings\All Users\Application Data\McAfee\SpamKiller\Users\1\Front\1\M0000011206.msg[doc.scrlivery System (36.7 KB)]
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online gambling casino.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Order phentermine.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Owner\Favorites\Sites about\What is hydrocodone.url
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\in4bdlA.dll
Virus:WM/Pesan.B Disinfected Archive 1999\Archive (inbox)\Performance appraisal for Ray Haller\rh1997jb.doc
Virus:W32/Mytob.DR.worm Disinfected Junk\*WARNING* Your Email Account Will Be Closed\email-doc.zip[email-doc.txt .pif]
Virus:W32/Mytob.DR.worm Disinfected Junk\Security measures\information.zip[information.htm .exe]
Virus:W32/Mytob.DR.worm Disinfected Junk\*WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED\vzqplzq.zip[vzqplzq.htm .exe]
Virus:W32/Mytob.DR.worm Disinfected Junk\Important Notification\email-doc.zip[email-doc.htm .pif]
Virus:W32/Mytob.DR.worm Disinfected Junk\*WARNING* Your Email Account Will Be Closed\nmqyzmm.zip[nmqyzmm.txt .pif]
Virus:W32/Mytob.DR.worm Disinfected Junk\Account Alert\email-info.zip[email-info.doc .exe]
Virus:W32/Mytob.DR.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\email-info.zip[email-info.htm .pif]
Virus:W32/Mytob.DR.worm Disinfected Junk\Important Notification\document.zip[document.doc .scr]
Virus:W32/Mytob.DR.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\info-text.zip[info-text.doc .scr]
Virus:W32/Mytob.DR.worm Disinfected Junk\*WARNING* Your Email Account Will Be Closed\email-info.zip[email-info.txt .pif]
Virus:W32/Mytob.DR.worm Disinfected Junk\*WARNING* Your Email Account Will Be Closed\email-info.zip[email-info.htm .pif]
Virus:W32/Mytob.DR.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\information.zip[information.htm .pif]
Virus:W32/Mytob.DR.worm Disinfected Junk\Account Alert\email-info.zip[email-info.txt .exe]
Virus:W32/Mytob.DR.worm Disinfected Junk\*DETECTED* Online User Violation\information.zip[information.txt .exe]
Virus:W32/Mytob.DR.worm Disinfected Junk\*DETECTED* Online User Violation\INFO.zip[INFO.htm .exe]
Virus:W32/Mytob.DR.worm Disinfected Junk\Account Alert\email-doc.zip[email-doc.txt .exe]
Virus:W32/Mytob.DR.worm Disinfected Junk\IMPORTANT NOTIFICATION\information.zip[information.txt .scr]
Virus:W32/Mytob.DR.worm Disinfected Junk\Account Alert\information.zip[information.htm .exe]
Virus:W32/Mytob.DR.worm Disinfected Junk\*DETECTED* Online User Violation\info-text.zip[info-text.doc .scr]
Virus:W32/Mytob.DR.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\email-info.zip[email-info.txt .pif]
Virus:W32/Mytob.V.worm Disinfected Junk\Undelivered Mail Returned to Sender\Mail Delivery System\doc.scr
Virus:W32/Mytob.DN.worm Disinfected Junk\hello\body.exe
Virus:W32/Mytob.DN.worm Disinfected Junk\torumxkggijv\document.exe
Virus:W32/Mytob.DN.worm Disinfected Junk\Hello\document.zip[document.pif]
Virus:W32/Mytob.DN.worm Disinfected Junk\Good day\document.zip[document.pif]
Virus:W32/Mytob.DE.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\instructions.zip[instructions.txt .scr]
Virus:W32/Mytob.DE.worm Disinfected Junk\Notice: **Last Warning**\email-info.zip[email-info.htm .pif]
Virus:W32/Mytob.DE.worm Disinfected Junk\YOUR EMAIL ACCOUNT IS SUSPENDED FOR SECURITY REASONS\email-info.zip[email-info.exe]
Virus:W32/Mytob.DE.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\instructions.pif
Virus:W32/Mytob.DE.worm Disinfected Junk\eroa\document.zip[document.txt .scr]
Virus:W32/Mytob.DE.worm Disinfected Junk\SUSPENDED ACCOUNT\account-details.zip[account-details.txt .exe]
Virus:W32/Mytob.DE.worm Disinfected Junk\Your Email Account Has been Blocked\instructions.zip[instructions.pif]
Virus:W32/Mytob.DE.worm Disinfected Junk\Your Email Account Has been Blocked\info-text.zip[info-text.doc .pif]
Virus:W32/Mytob.DE.worm Disinfected Junk\Notice:***Your email account will be suspended***\email-doc.zip[email-doc.doc .exe]
Virus:W32/Mytob.DE.worm Disinfected Junk\Notice: **Last Warning**\email-info.pif
Virus:W32/Mytob.DE.worm Disinfected Junk\SUSPENDED ACCOUNT\instructions.zip[instructions.txt .scr]
Virus:W32/Mytob.DE.worm Disinfected Junk\*WARNING* Your Email Account Will Be Closed\information.zip[information.pif]
Virus:W32/Mytob.DE.worm Disinfected Junk\Your Email Account Has been Blocked\email-info.scr
Virus:W32/Mytob.DE.worm Disinfected Junk\Your Email Account Has been Blocked\email-info.zip[email-info.doc .scr]
Virus:W32/Mytob.DE.worm Disinfected Junk\Your Email Account Has been Blocked\email-info.scr
Virus:W32/Mytob.DE.worm Disinfected Junk\Notice: **Last Warning**\ijv.zip[ijv.exe]
Virus:W32/Mytob.DE.worm Disinfected Junk\Your Email Account Has been Blocked\document.zip[document.htm .pif]
Virus:W32/Mytob.DE.worm Disinfected Junk\Notice:***Your email account will be suspended***\email-info.zip[email-info.pif]
Virus:W32/Mytob.DE.worm Disinfected Junk\Your Email Account Has been Blocked\email-info.exe
Virus:W32/Mytob.DE.worm Disinfected Junk\YOUR EMAIL ACCOUNT IS SUSPENDED FOR SECURITY REASONS\information.zip[information.scr]
Virus:W32/Mytob.DE.worm Disinfected Junk\*WARNING* Your Email Account Will Be Closed\information.pif
Virus:W32/Mytob.DE.worm Disinfected Junk\YOUR EMAIL ACCOUNT HAS BEEN BLOCKED\information.zip[information.scr]
Virus:W32/Mytob.DE.worm Disinfected Junk\*WARNING* Your Email Account Will Be Closed\account-details.zip[account-details.pif]
Virus:W32/Mytob.DE.worm Disinfected Junk\*WARNING* YOUR EMAIL ACCOUNT WILL BE CLOSED\account-details.zip[account-details.pif]
Virus:W32/Mytob.DE.worm Disinfected Junk\FXPWTN\information.zip[information.exe]
Virus:W32/Mytob.DE.worm Disinfected Junk\SUSPENDED ACCOUNT\document.zip[document.pif]
Virus:W32/Mytob.DE.worm Disinfected Junk\*IMPORTANT* Please Validate Your Email Account\account-details.zip[account-details.txt .scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\email-doc.scr
Virus:W32/Mytob.DB.worm Disinfected Junk\NOTICE:***YOUR EMAIL ACCOUNT WILL BE SUSPENDED***\email-doc.exe
Virus:W32/Mytob.DB.worm Disinfected Junk\Your email account access is restricted\IMPORTANT.zip[IMPORTANT.pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\your_details.pif
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice: **Last Warning**\INFO.zip[INFO.pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\*IMPORTANT* Please Validate Your Email Account\document_full.zip[document_full.scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\email-info.zip[email-info.txt .scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\email-doc.pif
Virus:W32/Mytob.DB.worm Disinfected Junk\*IMPORTANT* PLEASE VALIDATE YOUR EMAIL ACCOUNT\email-text.zip[email-text.htm .pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\NOTICE: **LAST WARNING**\info-text.zip[info-text.scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\Security measures\your_details.zip[your_details.exe]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\info-text.zip[info-text.htm .exe]
Virus:W32/Mytob.DB.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\email-info.zip[email-info.pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Email Account Suspension\INFO.zip[INFO.pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\*IMPORTANT* Your Account Has Been Locked\bnwur.scr
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\IMPORTANT.zip[IMPORTANT.doc .pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Your email account access is restricted\email-info.zip[email-info.scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\YOUR EMAIL ACCOUNT IS SUSPENDED FOR SECURITY REASONS\information.zip[information.bat]
Virus:W32/Mytob.DB.worm Disinfected Junk\Utbiaehurjnjhlkm\email-info.scr
Virus:W32/Mytob.DB.worm Disinfected Junk\Your email account access is restricted\email-doc.zip[email-doc.scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\Jualwri\information.scr
Virus:W32/Mytob.DB.worm Disinfected Junk\NOTICE:***YOUR EMAIL ACCOUNT WILL BE SUSPENDED***\email-doc.zip[email-doc.txt .exe]
Virus:W32/Mytob.DB.worm Disinfected Junk\Your email account access is restricted\email-doc.scr
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\email-doc.zip[email-doc.txt .pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Your email account access is restricted\email-info.pif
Virus:W32/Mytob.DB.worm Disinfected Junk\Your email account access is restricted\IMPORTANT.scr
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\your_details.zip[your_details.scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\*IMPORTANT* Please Validate Your Email Account\info-text.pif
Virus:W32/Mytob.DB.worm Disinfected Junk\Email Account Suspension\email-info.zip[email-info.doc .pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\email-text.zip[email-text.pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\info-text.zip[info-text.pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Security measures\IMPORTANT.zip[IMPORTANT.scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\INFO.scr
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice: **Last Warning**\information.zip[information.txt .pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\YOUR EMAIL ACCOUNT ACCESS IS RESTRICTED\information.zip[information.exe]
Virus:W32/Mytob.DB.worm Disinfected Junk\NOTICE:***YOUR EMAIL ACCOUNT WILL BE SUSPENDED***\email-doc.zip[email-doc.doc .exe]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\email-text.zip[email-text.pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Your email account access is restricted\info-text.zip[info-text.exe]
Virus:W32/Mytob.DB.worm Disinfected Junk\NOTICE: **LAST WARNING**\your_details.zip[your_details.txt .exe]
Virus:W32/Mytob.DB.worm Disinfected Junk\NOTICE:***YOUR EMAIL ACCOUNT WILL BE SUSPENDED***\your_details.zip[your_details.pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Security measures\IMPORTANT.zip[IMPORTANT.scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\*IMPORTANT* YOUR ACCOUNT HAS BEEN LOCKED\email-doc.zip[email-doc.pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Email Account Suspension\IMPORTANT.zip[IMPORTANT.scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\email-info.zip[email-info.pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\info-text.zip[info-text.doc .pif]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\your_details.zip[your_details.scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\NOTICE:***YOUR EMAIL ACCOUNT WILL BE SUSPENDED***\email-info.zip[email-info.txt .scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice:***Your email account will be suspended***\INFO.zip[INFO.scr]
Virus:W32/Mytob.DB.worm Disinfected Junk\Notice: **Last Warning**\your_details.zip[your_details.pif]
Virus:W32/Mytob.CP.worm Disinfected Junk\Hello\MAIL.exe
Virus:W32/Mytob.CP.worm Disinfected Junk\Here is your documents.\ATTACHMENT.zip[ATTACHMENT.htm .pif]
Virus:W32/Mydoom.BM.worm Disinfected Junk\Your Email Account is Suspended For Security Reasons\email-doc.zip[email-doc.pif]
Virus:W32/Mytob.CP.worm Disinfected Junk\SOMETHING FOR YOU\wgioz.zip[wgioz.pif]
Virus:W32/Mytob.CP.worm Disinfected Junk\Here is your documents.\DOCUMENT.scr
Virus:W32/Mytob.CP.worm Disinfected Junk\HERE IS YOUR DOCUMENTS.\MAIL.zip[MAIL.htm .pif]
Virus:W32/Mytob.CP.worm Disinfected Junk\Here is your documents.\DOCUMENT.zip[DOCUMENT.pif]
Virus:W32/Mytob.CP.worm Disinfected Junk\Status\DOCUMENT.zip[DOCUMENT.scr]
Virus:W32/Mytob.CP.worm Disinfected Junk\Here is your documents.\FILE.zip[FILE.scr]
Virus:W32/Mytob.CP.worm Disinfected Junk\HERE IS YOUR DOCUMENTS.\ATTACHMENT.zip[ATTACHMENT.pif]
Virus:W32/Mytob.CP.worm Disinfected Junk\MAIL.scr
Virus:W32/Mytob.CP.worm Disinfected Junk\Mail Delivery System\PayPal.zip[PayPal.pif]
Virus:W32/Mytob.CP.worm Disinfected Junk\something for you\FILE.zip[FILE.pif]
Virus:W32/Mytob.CP.worm Disinfected Junk\HERE IS YOUR DOCUMENTS.\DOCUMENT.zip[DOCUMENT.doc .scr]
Virus:W32/Mytob.CP.worm Disinfected Junk\Hello\PayPal.zip[PayPal.pif]
Virus:W32/Mytob.CP.worm Disinfected Junk\something for you\LETTER.zip[LETTER.htm .scr]
Virus:W32/Mytob.CP.worm Disinfected Junk\Error\DOCUMENT.zip[DOCUMENT.txt .exe]
Virus:W32/Mytob.CP.worm Disinfected Junk\Mail Transaction Failed\ATTACHMENT.zip[ATTACHMENT.scr]
Virus:W32/Mytob.CP.worm Disinfected Junk\HERE IS YOUR DOCUMENTS.\DOCUMENT.zip[DOCUMENT.pif]
Virus:W32/Mytob.CP.worm Disinfected Junk\Here is your documents.\ATTACHMENT.exe
Virus:W32/Mytob.CP.worm Disinfected Junk\HERE IS YOUR DOCUMENTS.\README.exe
Virus:W32/Mytob.CP.worm Disinfected Junk\README.scr
Virus:W32/Mytob.CP.worm Disinfected Junk\Mail Delivery System\ndwd.scr
Virus:W32/Mytob.CP.worm Disinfected Junk\HELLO\PayPal.zip[PayPal.exe]
Virus:W32/Mytob.CP.worm Disinfected Junk\Hello\DOCUMENT.zip[DOCUMENT.scr]
Virus:W32/Mydoom.BL.worm Disinfected Junk\HELLO\MAIL.pif
Virus:W32/Mydoom.BL.worm Disinfected Junk\something for you\LETTER.scr
Virus:W32/Mytob.BL.worm Disinfected Junk\Delivery Status Notification (Failure)\Hello\nizp.scr
Virus:W32/Mytob.BL.worm Disinfected Junk\HERE IS YOUR DOCUMENTS.\TEXT.zip[TEXT.scr]
Virus:W32/Mydoom.BL.worm Disinfected Junk\Here is your documents.\DOCUMENT.pif
Virus:W32/Mytob.BL.worm Disinfected Junk\something for you\ATTACHMENT.pif
Virus:W32/Mydoom.BL.worm Disinfected Junk\Delivery Status Notification (Failure)\README.zip[README.txt .exe]
Virus:W32/Mytob.AD.worm Disinfected Junk\Server Report\readme.zip[readme.txt .pif]
Virus:W32/Mytob.AD.worm Disinfected Junk\Server Report\body.pif
Virus:W32/Mytob.AD.worm Disinfected Junk\Good day\docume
  • 0

#5
Wizard
Posted 12 July 2005 - 04:16 AM

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I can see why you get all the Spams,there was a Mass Mailing Internet Worm on the System!

I highly recommend getting rid of all the old Emails that are Stored on the PC!

It appears that Panda has Disinfected the Worm its self!

Locate and Delete these please

C:\Documents and Settings\Owner\Favorites\Sites about<< Folder

C:\WINDOWS\system32\fiz1<< Not sure if its a file or folder!

C:\WINDOWS\system32\in4bdlA.dll<< File!

C:\WINDOWS\msiv32.exe<< File!

Have HijackThis fix this entry

O4 - HKLM\..\Run: [msiv32.exe] C:\WINDOWS\msiv32.exe


I am unsure of what you use to Manage your email but I suggest cleaning out all the related folders!

No telling whats left laying inside those!

Scan the System once more with this Scanner,it has a tendency to locate more email infections!

http://www.ravantivirus.com/scan/


Lets see those Results once completed!


Install these 2 for Safer Browsing!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Restore the Host Files to the Original State
Download the Hoster from here:
http://www.funkytoad...load/hoster.zip
Press "Restore Original Hosts" and press "OK"!!
Exit Program!

Boost the Hosts File by installing WinHelp2002s Hosts File
http://www.mvps.org/...p2002/hosts.htm
and made easy here
http://www.mvps.org/...2002/hosts2.htm


If Mcafee let all that Email in,then I would look at the Panda Site if you like it and see what packages they have with Email Scanning included!


That seems to have been the Source of the entire problem!


Post back and lets have a look at the Rav Scan output!

Edited by Cretemonster, 12 July 2005 - 04:18 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP