Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Virus? Worm? Something bad has got this PC [RESOLVED]

Started by Jennlee , Jul 11 2005 09:44 PM

This topic is locked

#1
Jennlee

Posted 11 July 2005 - 09:44 PM

Member

Member
12 posts

Hello and thank you in advance for any advice. I'm nearing the sledgehammer stage. My mother brought me her laptop to "fix," and whatever virus or worm she has got so far has got my number.

About three or four weeks ago she had the W32.Mytob.ED@mm worm, which we removed with a removal tool from Symantec. The log from that said it was removed, and the worm stopped sending itself out via email, so I assume that one is gone.

However, when I got the PC from her, I found there was a ton of spyware/adware/malware on the PC and something has hijacked the browser and desktop. Here are the symptoms:

1. PC boots and runs extremely slow
2. The windows spash screen comes up at odd times, freezing the PC momentarily with "Please Wait"
3. Browser is hijacked when attempting to purchase or buy antivirus software or when going to certain web addresses.
4. Windows Help and Support disabled - click it, nothing happens
5. Windows system restore disabled - no options to set restore point or restore to earlier point.
6. Windows search won't let you search for anything - brings up search window but you can't put anything in.
7. Won't run Norton antivirus/internet security - it deactivates something so when you try to click "Next" on the config screen nothing happens. Something does run in the background because when I reboot, cApp has to end task, and occasionally the Antivirus part puts up a message about Adware.ClearSearch, but it won't scan or run anything.
8. Messed up browser information so won't run online scans or downloads - doesn't return correct version number, etc. Couldn't run the online scans at Symantec, Panda, or Trend Housecall, likely due to this.
9. Often when opening IE, instead of going to the homepage (Google) it has the invalid URL of http:/// and errors - this is sporadic, but always happens right after a reboot for sure.

Here are the steps I have taken:

I have run all the steps in the "Read This" posting, except the online scans, which I tried, but won't run, and SP1a, which wouldn't load, first because of the browser-settings thing, but when I got around that, it wouldn't run because SP2 is on already.

Before I found GeeksToGo, I had done some other stuff - I had run Ewido in safe mode, and Ad Aware (tons of entries deleted). I ran Spybot also. I ran a fix to get rid of Aurora Abi, which I think is now gone. I also ran nailfix.

But after all that, the PC is still pretty much hosed.

Here's the HijackThis! log:

Logfile of HijackThis v1.99.1
Scan saved at 9:59:13 PM, on 7/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Internet Security\cfgwiz.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe
C:\WINDOWS\SYSTEM32\freecell.exe
C:\WINDOWS\system32\sethc.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-44D6-A2A2-2303E9EE7A89} - C:\Program Files\f9bp2c5u\f9bp2c5u.dll
O2 - BHO: (no name) - {2A8AA91C-C184-4136-859F-9DB2FA6B7523} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {77389F50-04D3-4117-8678-A8CE82064589} - (no file)
O2 - BHO: (no name) - {779C3818-22DC-4B12-8E2E-3D7A51723518} - (no file)
O2 - BHO: (no name) - {82932E79-FB23-477F-9E25-D6D3344656AD} - (no file)
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {ACB92FB8-FDA2-46E2-BAE7-AD1491FC716E} - (no file)
O2 - BHO: (no name) - {B3223A26-C245-46B2-AB8B-3463D2134DB4} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: AMERICA ONLINE TRAY ICON.LNK = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} - http://fdl.msn.com/p...13/invinstl.exe
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBdirect\FlowHook.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I hope someone can help me! It's driving me nuts! Thanks!!!

#2
Rawe

Posted 16 July 2005 - 05:43 AM

Visiting Staff

Member
4,746 posts

Hello and welcome!

Please download the following tool which helps us;

- Clean Up

Run the CleanUp installer and get the program ready to be used, but don't run it yet.

Since you have Ewido Security Suite already installed, please update it's definitions but don't run a scan yet!
Exit Ewido.

Close any open windows and/or open browsers. Run a scan with HiJackThis, and once it's finished, check these objects for removal;

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000000-0000-44D6-A2A2-2303E9EE7A89} - C:\Program Files\f9bp2c5u\f9bp2c5u.dll
O2 - BHO: (no name) - {2A8AA91C-C184-4136-859F-9DB2FA6B7523} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {77389F50-04D3-4117-8678-A8CE82064589} - (no file)
O2 - BHO: (no name) - {779C3818-22DC-4B12-8E2E-3D7A51723518} - (no file)
O2 - BHO: (no name) - {82932E79-FB23-477F-9E25-D6D3344656AD} - (no file)
O2 - BHO: (no name) - {ACB92FB8-FDA2-46E2-BAE7-AD1491FC716E} - (no file)
O2 - BHO: (no name) - {B3223A26-C245-46B2-AB8B-3463D2134DB4} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {EA5A82FB-D6BE-44F9-9363-B1ABABC153C1} - (no file)

Make sure that the above mentioned objects are all checked, then hit
"Fix Checked".

Run a Full Scan in Ewido Security Suite. Again, make sure that it's the only program running at that time/only window open. Let it remove anything it finds & save the log it produces.

Run CleanUp! making sure to reboot your PC when prompted.
Once your Windows has loaded, please run a new scan with HiJackThis. When it has finished, post the fresh log here along with the log from Ewido's Full Scan.

We'll continue then!

- Rawe :tazz:

#3
Jennlee

Posted 16 July 2005 - 08:41 AM

Member

Topic Starter
Member
12 posts

Hi Rawe!! Thanks for replying!

I have done the following:

Updated Ewido (there was an update available)
Scanned with HijackThis and checked the objects listed in your post, and clicked fix checked.
Run a full scan in Ewido (it found nothing. When I ran it the first time last week, it found abut 355 things)
Ran CleanUp and rebooted as indicated
Ran HijackThis and saved the log

Ewido Report:
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:20:43 AM, 7/16/2005
+ Report-Checksum: A0E5B6F

+ Scan result:

No infected objects found.

::Report End

Here's the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:31:45 AM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: AMERICA ONLINE TRAY ICON.LNK = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} - http://fdl.msn.com/p...13/invinstl.exe
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBdirect\FlowHook.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4
Rawe

Posted 16 July 2005 - 08:44 AM

Visiting Staff

Member
4,746 posts

Hi again! Let's continue with one really great tool next

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directoy as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Disable SpySweeper Shields
- Click Shields on the left.
- Click Internet Explorer and uncheck all items.
- Click Windows System and uncheck all items.
- Click Startup Programs and uncheck all items.
Once the definitions are installed and shields disabled, click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

Once you have done this, please reboot. Run a new scan with HiJackThis, and post both logs here as a reply.

- Rawe :tazz:

#5
Jennlee

Posted 16 July 2005 - 10:16 AM

Member

Topic Starter
Member
12 posts

Thanks, Rawe

When I ran Spysweeper, besides the items it found, I got an alert that read:
Hosts File Shield for www.dcsresearch.com: 64.91.255.87 has been added, but Internet lookup reports - no IP Address Returned.

I wasn't sure if I should click Remove, so I left it alone.

Spysweeper log

********
10:17 AM: |··· Start of Session, Saturday, July 16, 2005 ···|
10:17 AM: Spy Sweeper started
10:17 AM: Sweep initiated using definitions version 505
10:17 AM: Starting Memory Sweep
10:23 AM: Memory Sweep Complete, Elapsed Time: 00:05:58
10:23 AM: Starting Registry Sweep
10:23 AM: Found Adware: clipgenie
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\clipgenie\ (5 subtraces) (ID = 4366798)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\traynotifier\clipgenie\ (4 subtraces) (ID = 4366803)
10:23 AM: Found Adware: ebates money maker
10:23 AM: HKU\S-1-5-21-1935655697-1957994488-1060284298-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 4386609)
10:23 AM: Found Adware: ieplugin
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\intexp\ (43 subtraces) (ID = 4389221)
10:23 AM: Found Adware: drsnsrch.com hijacker
10:23 AM: HKU\S-1-5-21-1935655697-1957994488-1060284298-1004\software\microsoft\search assistant\ || defaultsearchurl (ID = 4389253)
10:23 AM: Found Adware: ieplugin hijacker
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\microsoft\internet explorer\main\ || search bar (ID = 4389262)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\microsoft\internet explorer\main\ || search page (ID = 4389263)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\microsoft\internet explorer\searchurl\ (2 subtraces) (ID = 4389268)
10:23 AM: Found Adware: ietoolbar
10:23 AM: HKLM\software\classes\typelib\{4a7dba74-e729-4ec8-92e2-ffd83921449f}\ (9 subtraces) (ID = 4389294)
10:23 AM: HKLM\software\mbkwbar\ (1 subtraces) (ID = 4389297)
10:23 AM: HKCR\typelib\{4a7dba74-e729-4ec8-92e2-ffd83921449f}\ (9 subtraces) (ID = 4389307)
10:23 AM: Found Adware: locators toolbar
10:23 AM: HKU\S-1-5-21-1935655697-1957994488-1060284298-1004\software\microsoft\internet explorer\toolbar\webbrowser\ || {8e718888-423f-11d2-876e-00a0c9082467} (ID = 4390919)
10:23 AM: HKU\S-1-5-20\software\microsoft\internet explorer\toolbar\webbrowser\ || {8e718888-423f-11d2-876e-00a0c9082467} (ID = 4390919)
10:23 AM: HKU\S-1-5-19\software\microsoft\internet explorer\toolbar\webbrowser\ || {8e718888-423f-11d2-876e-00a0c9082467} (ID = 4390919)
10:23 AM: HKU\S-1-5-18\software\microsoft\internet explorer\toolbar\webbrowser\ || {8e718888-423f-11d2-876e-00a0c9082467} (ID = 4390919)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\microsoft\internet explorer\toolbar\webbrowser\ || {8e718888-423f-11d2-876e-00a0c9082467} (ID = 4390919)
10:23 AM: Found System Monitor: networkessentials
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\support software\ (11 subtraces) (ID = 4397385)
10:23 AM: Found Adware: sidesearch
10:23 AM: HKLM\software\lycos\ (1 subtraces) (ID = 4403232)
10:23 AM: Found Adware: abetterinternet
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || au3n5a7tionscode (ID = 4407471)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aub3d5om (ID = 4407472)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || auc1o3d5eofsfinalad (ID = 4407473)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || auc3n5tfyl (ID = 4407474)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || auc3n5trmsgsdisp (ID = 4407475)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || auc3u5rrentsmode (ID = 4407476)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aud3s5tssend (ID = 4407477)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aue3v5nt (ID = 4407478)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aui3d5ofsinst (ID = 4407479)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aui3g5nores (ID = 4407480)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aui3n5progscab (ID = 4407481)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aui3n5progsex (ID = 4407482)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aui3n5progslstest (ID = 4407483)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aul3n5title (ID = 4407484)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aum3o5dessync (ID = 4407485)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aup3d5om (ID = 4407486)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aus3t5icky1s (ID = 4407488)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aus3t5icky2s (ID = 4407489)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aus3t5icky3s (ID = 4407490)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aus3t5icky4s (ID = 4407491)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aut3h5rshsbath (ID = 4407492)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aut3h5rshschecksin (ID = 4407493)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aut3h5rshsmots (ID = 4407494)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aut3h5rshsyssinf (ID = 4407495)
10:23 AM: HKU\WRSS_Profile_S-1-5-21-1935655697-1957994488-1060284298-500\software\aurora\ || aut3i5m7eofsfinalad (ID = 4407496)
10:23 AM: Registry Sweep Complete, Elapsed Time:00:00:27
10:23 AM: Starting Cookie Sweep
10:23 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:23 AM: Starting File Sweep
10:24 AM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
10:24 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
10:28 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
10:29 AM: mbkwnst.exe (ID = 4105538)
10:29 AM: btgrab.inf (ID = 4127870)
10:29 AM: mbkwnst.inf (ID = 4105540)
10:35 AM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
10:40 AM: c:\program files\lycos\sidesearch (1 subtraces) (ID = 4119934)
10:40 AM: c:\program files\support software (ID = 4114104)
10:41 AM: c:\program files\mbkwbar (1 subtraces) (ID = 4105547)
10:42 AM: mbkwbar.exe (ID = 4105534)
10:42 AM: Found Adware: clearsearch
10:42 AM: dcemr295.dll (ID = 4093478)
10:42 AM: 8yny45gh.dll (ID = 4093783)
10:42 AM: vtiq2u8a.dll (ID = 4093824)
10:42 AM: opr8gqjw.dll (ID = 4093859)
10:42 AM: rj94kffx.dll (ID = 4093501)
10:42 AM: vo3mvv14.dll (ID = 4093783)
10:42 AM: ldga59pp.dll (ID = 4093575)
10:42 AM: oyohfc5e.dll (ID = 4093859)
10:43 AM: Warning: Failed to open file "c:\documents and settings\default\ntuser.dat". The process cannot access the file because it is being used by another process
10:43 AM: Warning: Failed to open file "c:\documents and settings\default\ntuser.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: lycos sidesearch.lnk (ID = 4119908)
10:44 AM: Warning: Failed to open file "c:\documents and settings\default\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\default\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: c:\documents and settings\default\application data\lycos (ID = 4119932)
10:44 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
10:44 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
10:44 AM: File Sweep Complete, Elapsed Time: 00:20:47
10:44 AM: Full Sweep has completed. Elapsed time 00:27:19
10:44 AM: Traces Found: 147
10:47 AM: Removal process initiated
10:47 AM: Quarantining All Traces: clipgenie
10:47 AM: Quarantining All Traces: ebates money maker
10:47 AM: Quarantining All Traces: ieplugin
10:47 AM: Quarantining All Traces: drsnsrch.com hijacker
10:47 AM: Quarantining All Traces: ieplugin hijacker
10:47 AM: Quarantining All Traces: ietoolbar
10:47 AM: Quarantining All Traces: locators toolbar
10:47 AM: Quarantining All Traces: networkessentials
10:47 AM: Quarantining All Traces: sidesearch
10:47 AM: Quarantining All Traces: abetterinternet
10:47 AM: Quarantining All Traces: clearsearch
10:47 AM: Removal process completed. Elapsed time 00:00:26
********
10:14 AM: |··· Start of Session, Saturday, July 16, 2005 ···|
10:14 AM: Spy Sweeper started
10:15 AM: Your spyware definitions have been updated.
10:15 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000058
10:15 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000024
10:15 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000024
10:17 AM: |··· End of Session, Saturday, July 16, 2005 ···|

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:04:52 AM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: AMERICA ONLINE TRAY ICON.LNK = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} - http://fdl.msn.com/p...13/invinstl.exe
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBdirect\FlowHook.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6
Rawe

Posted 16 July 2005 - 10:25 AM

Visiting Staff

Member
4,746 posts

Hello again.

Please print these instructions out, or write them down, as you can't read them during the fix.

I will need you to run a scan with SpySweeper again since it failed on few things.
Please do the following... Update it first. Also get CleanUp! ready to be used again.

Boot into Safe Mode. If you need help with booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Once your Windows has loaded to Safe Mode, run a scan with SpySweeper again.
Make sure to do it with the same instructions as you did earlier (though please close any open windows and/or open browsers/programs, making sure that SpySweeper is only program running at that time.)
Let it remove anything it finds. And save the logfile. Copy & paste it into your next reply.

Exit SpySweeper once it's ready. Run CleanUp! making sure to reboot your PC when prompted.
Boot up into normal mode, then run a new scan with HiJackThis. Post the fresh log here along with the log from new SpySweeper scan.

- Rawe :tazz:

#7
Jennlee

Posted 16 July 2005 - 11:23 AM

Member

Topic Starter
Member
12 posts

Hi -

In safe mode, Spysweeper didn't find anything from the scan. I still do get that alert on Hosts File Shield for www.dcsresearch.com: 64.91.255.87 has been added, but Internet lookup reports - no IP Address Returned.

Should I remove that? It was not on the regular page, so I wasn't sure.

In safe mode, nothing appeared to be running when I ran Spysweeper - I didn't start up anything, and no extra windows were open.

Spysweeper log
********
11:51 AM: |··· Start of Session, Saturday, July 16, 2005 ···|
11:51 AM: Spy Sweeper started
11:51 AM: Sweep initiated using definitions version 505
11:51 AM: Starting Memory Sweep
11:53 AM: Memory Sweep Complete, Elapsed Time: 00:01:38
11:53 AM: Starting Registry Sweep
11:53 AM: Registry Sweep Complete, Elapsed Time:00:00:19
11:53 AM: Starting Cookie Sweep
11:53 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:53 AM: Starting File Sweep
11:53 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
11:55 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
11:55 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
11:55 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
11:55 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
11:55 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
11:55 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
11:55 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
11:55 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
11:55 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
11:55 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
12:01 PM: Warning: Failed to open file "c:\documents and settings\default\ntuser.dat". The process cannot access the file because it is being used by another process
12:01 PM: Warning: Failed to open file "c:\documents and settings\default\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:02 PM: Warning: Failed to open file "c:\documents and settings\default\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:02 PM: Warning: Failed to open file "c:\documents and settings\default\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:02 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
12:02 PM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
12:02 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
12:02 PM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
12:02 PM: File Sweep Complete, Elapsed Time: 00:08:42
12:02 PM: Full Sweep has completed. Elapsed time 00:10:46
12:02 PM: Traces Found: 0
********
11:08 AM: |··· Start of Session, Saturday, July 16, 2005 ···|
11:08 AM: Spy Sweeper started
11:08 AM: Sweep initiated using definitions version 505
11:08 AM: Starting Memory Sweep
11:13 AM: Memory Sweep Complete, Elapsed Time: 00:05:00
11:13 AM: Starting Registry Sweep
11:13 AM: Registry Sweep Complete, Elapsed Time:00:00:25
11:13 AM: Starting Cookie Sweep
11:13 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:14 AM: Starting File Sweep
11:14 AM: Warning: Failed to open file "c:\hiberfil.sys". Access is denied
11:14 AM: Warning: Failed to open file "c:\pagefile.sys". Access is denied
11:18 AM: Warning: Failed to open file "c:\windows\system32\config\system.log". The process cannot access the file because it is being used by another process
11:18 AM: Warning: Failed to open file "c:\windows\system32\config\software.log". The process cannot access the file because it is being used by another process
11:18 AM: Warning: Failed to open file "c:\windows\system32\config\default.log". The process cannot access the file because it is being used by another process
11:18 AM: Warning: Failed to open file "c:\windows\system32\config\security". The process cannot access the file because it is being used by another process
11:18 AM: Warning: Failed to open file "c:\windows\system32\config\sam". The process cannot access the file because it is being used by another process
11:18 AM: Warning: Failed to open file "c:\windows\system32\config\sam.log". The process cannot access the file because it is being used by another process
11:18 AM: Warning: Failed to open file "c:\windows\system32\config\security.log". The process cannot access the file because it is being used by another process
11:18 AM: Warning: Failed to open file "c:\windows\system32\config\system". The process cannot access the file because it is being used by another process
11:18 AM: Warning: Failed to open file "c:\windows\system32\config\software". The process cannot access the file because it is being used by another process
11:18 AM: Warning: Failed to open file "c:\windows\system32\config\default". The process cannot access the file because it is being used by another process
11:21 AM: Warning: Failed to open file "c:\windows\softwaredistribution\eventcache\{d88eccca-a51d-4aee-b137-1ccb7a99e371}.bin". The process cannot access the file because it is being used by another process
11:25 AM: Warning: Failed to open file "c:\program files\common files\symantec shared\ccpd-lc\symlcrst.dll". The process cannot access the file because it is being used by another process
11:33 AM: Warning: Failed to open file "c:\documents and settings\default\ntuser.dat". The process cannot access the file because it is being used by another process
11:33 AM: Warning: Failed to open file "c:\documents and settings\default\ntuser.dat.log". The process cannot access the file because it is being used by another process
11:34 AM: Warning: Failed to open file "c:\documents and settings\default\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
11:34 AM: Warning: Failed to open file "c:\documents and settings\default\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
11:34 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat". The process cannot access the file because it is being used by another process
11:34 AM: Warning: Failed to open file "c:\documents and settings\networkservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
11:34 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
11:34 AM: Warning: Failed to open file "c:\documents and settings\networkservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
11:34 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat". The process cannot access the file because it is being used by another process
11:34 AM: Warning: Failed to open file "c:\documents and settings\localservice\ntuser.dat.log". The process cannot access the file because it is being used by another process
11:34 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat". The process cannot access the file because it is being used by another process
11:34 AM: Warning: Failed to open file "c:\documents and settings\localservice\local settings\application data\microsoft\windows\usrclass.dat.log". The process cannot access the file because it is being used by another process
11:34 AM: File Sweep Complete, Elapsed Time: 00:20:22
11:34 AM: Full Sweep has completed. Elapsed time 00:26:03
11:34 AM: Traces Found: 0
11:36 AM: Updating spyware definitions
11:36 AM: Your definitions are up to date.
11:49 AM: Program Version 4.0.3 (Build 405) Using Spyware Definitions 505
11:50 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000058
11:50 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000024
11:50 AM: Warning: Hosts File Shield unable to read from hosts file. Access violation at address 7C910370 in module 'ntdll.dll'. Read of address 00000024
11:51 AM: |··· End of Session, Saturday, July 16, 2005 ···|

HijackThis Log
Logfile of HijackThis v1.99.1
Scan saved at 12:14:01 PM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: AMERICA ONLINE TRAY ICON.LNK = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} - http://fdl.msn.com/p...13/invinstl.exe
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBdirect\FlowHook.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#8
Rawe

Posted 16 July 2005 - 11:29 AM

Visiting Staff

Member
4,746 posts

Hi again!

You're logged in a Admin - account, right? You don't need to remove that host file which SpySweeper reports.

Let me know.

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).

Save it to your desktop.
Double-click the new icon on your desktop (tmas-web-scan.exe)
It will say "Loading TrendMicro definitions".
Once the definitions are loaded, the program will appear to close then re-open.
Click "Start Scan"
After it's done scanning, click "Scan Results"
Make sure all items found have a check next to them, then click "Clean Threats Now".
Click Exit.

Reboot your computer. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them here.

- Rawe :tazz:

#9
Jennlee

Posted 16 July 2005 - 12:55 PM

Member

Topic Starter
Member
12 posts

Hi -

I ran it in safe mode both as admin and as my mother's account (it's her pc) and the results were the same - nothing found. I picked the Safe Mode option, but there were also selections for Safe Mode with Networking and Safe Mode Command Line, that I didn't use.

The Trend Micro scan found some stuff that I told it to clean. Things must be getting a bit better, because I wasn't able to download the TrendMicro scan at all before, so that's cool.

Trend Micro Log
Started Scanning
Internet Cookies
Programs in Memory
Windows Registry
Found '' in 'SOFTWARE\TrayNotifier'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}'
Internet URL Shortcuts
Files and Directories
Found 'kwv2.dat' in 'C:\WINDOWS'
Found '' in 'C:\Program Files\Lycos'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\WINDOWS\kwv2.dat' in shortcut areas.
Checking for 'C:\WINDOWS\kwv2.dat' in startup areas.
Cleaning 'C:\WINDOWS\kwv2.dat'
Checking for 'C:\Program Files\Lycos' in shortcut areas.
Checking for 'C:\Program Files\Lycos' in startup areas.
Cleaning 'C:\Program Files\Lycos'
Finished Cleaning

I also ran a fresh HijackThis after the reboot

Logfile of HijackThis v1.99.1
Scan saved at 1:46:10 PM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: AMERICA ONLINE TRAY ICON.LNK = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} - http://fdl.msn.com/p...13/invinstl.exe
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBdirect\FlowHook.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

I was wondering if I should maybe uninstall Norton Internet Security - I never got it to install/run properly, because the PC was so messed up. Do you think that would be helpful in this process at all?

#10
Rawe

Posted 16 July 2005 - 01:10 PM

Visiting Staff

Member
4,746 posts

I've never liked Norton either :tazz:

But let's just keep that until we get your PC clean. Once we get it clean, you might want to get Avg or Avast! they are both free anti-virus applications and really good too!

Ok, let's continue then. Things are looking better, yes.
I might want you to install couple little apps too.
Please download & install following programs;
- EasyCleaner
- Mru-Blaster by Javacool

Install Mru-Blaster. Once you launch it first time, there should be a window for setting automatic scans and the main window of Mru-Blaster. Ignore the setting window, close it using the "X" at the corner. Go to the Mru-Blaster's main window. Click on "Scan now". If it finds anything click on "Clean Now". Click on Scan again, then if it finds still something please click "Clean Now" again. Then exit Mru-Blaster.

After installing EasyCleaner, check under Settings > Registry tab if the backup
option is checked and if the directory it points to exists.
This should be true by default, but check anyway.

Then click "OK" and click "Registry"
Then click "Search". When it is done select all the items per color,
(most, if not all should be green) and click Remove.

Reboot when you are done, and let me know how's things running now

- Rawe

#11
Jennlee

Posted 16 July 2005 - 03:12 PM

Member

Topic Starter
Member
12 posts

Hi -

MRU blaster found 1372 things, and EasyCleaner 300+.

The browser doesn't seem to be getting hijacked anymore. The browser still seems to have some issues, though. When I click on help and select about, no version information shows up - the version info is blank. I suspected that this prevents some of the online scan things from running via browser, but perhaps not, since TrendMicro scan worked.

I was unable to run Panda scan online, though. Also when using Norton's support site, some combo boxes wouldn't pre-fill as they do when I use my own PC. The effect of this is that you really can't get to the support area of the site, which is why I suspected that one of the infections had disabled something in the browser.

The speed of the PC seems very slow still. It is an older PC, and I'm not very familiar with it, but it seems slower than it should be. It takes 5-10 minutes to reboot to a stage where you can do anything. Toward the end of this time, the Windows Splash "Please Wait" screen comes up (along with a sound effect of some sort), and the screen turns from color to black & white for a few moments. This seems kind of weird, and does not happen on any other PC that I have used, so I was suspecting something with a worm or virus.

Windows Help & Support seems to be disabled - when I click the help button on the start menu or from an explorer window, nothing happens.

Along that same theme, the Windows Search assistant isn't working - when I try to search in Windows explorer, I get the search window, and the little doggie search assistant thing, but no place to click or enter search information.

I've also been getting this strange message upon reboot: "Outlook message - Either there is no default mail client or the current mail client cannot fulfill the message request. Please run MS outlook and set it as the default mail client." This one is pretty new - just in the last day I think. My mother has Outlook Express on this PC, but I don't think Outlook is on there.

Norton antivirus/internet security will not run. Well, it sort of runs, but the screens on it seem to be disabled so that they can only be closed. Upon reboot, it attempts to run the configuration screen, which starts with an opening message and a "Next" button. Clicking the Next button does nothing, nor does pressing Enter or using Alt-N, etc. I can only close the window.

I ran another hijack this log as well in case it's needed for anything.

Logfile of HijackThis v1.99.1
Scan saved at 4:02:53 PM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - Global Startup: AMERICA ONLINE TRAY ICON.LNK = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} - http://fdl.msn.com/p...13/invinstl.exe
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBdirect\FlowHook.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks again for your time to help me.

What sorts of infections did/does the PC have? Just curious. Seemed like there were a million of them.

#12
Rawe

Posted 16 July 2005 - 03:21 PM

Visiting Staff

Member
4,746 posts

Actually your latest log seems clean.. Let's try few things just in case. If they doesn't show anything, then this issue isn't about malware.

Please run an online Anti-virus scan.. Here (Use it's "Auto-clean" option);
- Trend Micro

Let it remove anything it finds and copy & paste the results of the scan to your next reply.
It also works on quite a few browsers, so using Internet Explorer isn't necessary for this one. IMO, you could use Firefox, available here; http://www.mozilla.org/ (it's a lot safer, faster & better than IE, so I recommend it to be used.)

Then if you don't already have Ad-aware, please download & install it HERE. Or if you have it, then uninstall your current version using Add/Remove programs, then go and manually delete the folder from the C:\Program Files - directory. Then empty your recycle bin and get back to follow the instructions.

=> An tutorial for Ad-aware

Run the program, as instructed on the link.

Reboot, run a new scan with HiJackThis & post the fresh log here along with the log from TrendMicro scan.

Let me know how is your PC behaving now..

- Rawe :tazz:

#13
Jennlee

Posted 16 July 2005 - 04:56 PM

Member

Topic Starter
Member
12 posts

Hi -

The trend micro scan wouldn't run - no error messages - just nothing happened when the link was clicked. I left it on for a while because it said it might take a while to load the first time, but it never ran.

I tried to download Firefox, but from that PC, no download links showed up on the mozilla pages. I was running my own laptop beside it, and I could see the links on mine. I used my laptop to view the actual download link on the status bar of the browser and hand-typed it into the browser on the affected PC, but nothing downloaded or ran - it just went back to the mozilla page.

I uninstalled the Ad Aware that was on the PC and installed the newest version. I did the config steps in the instructions and ran it. It found 6 or 7 things, which it said it got rid of.

Here's the HIjackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:51:09 PM, on 7/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\CASIO\Photo Loader\Plauto.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\default\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~2\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: AMERICA ONLINE TRAY ICON.LNK = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {93B32602-A185-498B-9EA2-0518EBE72DE3} - http://fdl.msn.com/p...13/invinstl.exe
O18 - Protocol: flowto - {C7101FB0-28FB-11D5-883A-204C4F4F5020} - C:\CSFBdirect\FlowHook.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#14
Rawe

Posted 17 July 2005 - 01:56 AM

Visiting Staff

Member
4,746 posts

Your log looks fine. Just run a new scan with it, then check the following object for removal;

R3 - Default URLSearchHook is missing and it's good then. Since your problems hasn't gone yet, I'm gonna go and ask for a little back up on this one from other staff because this isn't about malware.

- Rawe :tazz:

#15
Rawe

Posted 17 July 2005 - 02:14 AM

Visiting Staff

Member
4,746 posts

Hi again.

Could you please try this.. Download & install this;
http://www.microsoft...&displaylang=en

Once installed, reboot and see if it helps in any of your issues. Post back & tell how it went.

- Rawe