Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Monitor covered with Bloodhound/Bargain Buddy sign [RESOLVED]


  • This topic is locked This topic is locked

#16
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again!
Please print these instructions out, or write them down, as you can't read them during the fix. Be sure to ask any questions before proceeding the fix!

I really want to see what Trend Micro's anti-spyware scan can do.

Please update Ewido Security Suite & SpySweeper.

Download & install Spybot S&D

Note; DO NOT use TeaTimer when it asks you to. It might interfere with the fixes.

Launch SpyBot when installed -> Click "Settings" -> Then Settings -> Display available Beta- versions (check the option) -> Go back and click on "Search For Updates" -> Check every update and hit "Download Updates" -> Once updated, go back to Settings -> "Ignore Products" -> Right-click with mouse somewhere on the screen and hit "Deselect all". Now go to -> "Immunize" -> Click Immunize.
Exit SpyBot, don't do a scan yet.

Then update your Ad-aware to the latest definitions.

Now;

Please download Trend Micro™ Anti-Spyware for the Web Utility (by clicking the "Scan and Clean your PC" button).
  • Save it to your desktop.
  • Double-click the new icon on your desktop (tmas-web-scan.exe)
  • It will say "Loading TrendMicro definitions".
  • Once the definitions are loaded, the program will appear to close then re-open.
  • Click "Start Scan"
  • After it's done scanning, click "Scan Results"
  • Make sure all items found have a check next to them, then click "Clean Threats Now".
  • Click Exit.
Reboot. In place of the TrendMicro icon will be a text file called "Antispyware.log", please double-click that log and copy the entire contents and paste them in your next reply.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Run a Full Scan in Ewido Security Suite. Let it fix anything it finds - save the log.
Let SpySweeper scan and clean anything it finds - save the log.
Run SpyBot S&D and do the following -> Click Settings -> Ignore Products -> Deselect all. Go back -> Check for problems -> Check every object found with RED color for removal -> Hit "Fix Selected Problems".
Then go to menu named Recovery -> Check everything -> Purge selected items. Exit SpyBot.
Run Ad-aware with a Full Scan let it remove anything it finds!

Run CleanUp!
and reboot. Boot up into normal mode, post a fresh HiJackThis log here along with the SpySweeper, Ewido & TrendMicro logs.

- Rawe :tazz:
  • 0

Advertisements


#17
boilmakrjs

boilmakrjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I still am unable to get the updated versions from these programs because they don't seem to like to connect to the servers. The program will say retrieving updates or something along the lines of, and then itll just sit there forever. Besides that hurdle, this is what I have come with from the scans:

Trendmicro:
Started Scanning
Internet Cookies
Found 'com.com' in 'Internet Explorer Cache'
Found 'atwola.com' in 'Internet Explorer Cache'
Programs in Memory
Windows Registry
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\ResultsFilter'
Found '' in 'Software\Kazaa\Transfer'
Found '' in 'Software\KaZaA\CloudLoad'
Found '' in 'Software\KaZaA\ConnectionInfo'
Found '' in 'Software\KaZaA\LocalContent'
Found '' in 'SOFTWARE\Classes\ed2k'
Found '' in 'SOFTWARE\Classes\ed2k\DefaultIcon'
Found '' in 'SOFTWARE\Classes\ed2k\shell\open\command'
Found '' in 'Software\Kazaa'
Found '' in 'Software\Kazaa\Advanced'
Found '' in 'Software\Kazaa\InstantMessaging'
Found '' in 'Software\Kazaa\LocalContent'
Found '' in 'Software\Kazaa\Skins'
Found '' in 'Software\Kazaa\UserDetails'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found '' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found '' in 'SOFTWARE\Magnet'
Found '' in 'SOFTWARE\Classes\magnet'
Found '' in 'SOFTWARE\Classes\magnet\shell\open\command'
Found 'URL Protocol' in 'SOFTWARE\Classes\magnet'
Found 'LastSearchHash' in 'Software\Kazaa'
Found 'ScanFolder' in 'Software\Kazaa\Advanced'
Found 'IgnoreAll' in 'Software\Kazaa\InstantMessaging'
Found '' in 'Software\Kazaa\Search'
Found 'adult_filter_level' in 'Software\Kazaa\ResultsFilter'
Found 'b' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b0seconds' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\in'
Found 'b1' in 'SOFTWARE\Kazaa\Bandwidth\out'
Found 'CacheDiscoveryTime' in 'Software\Kazaa\Transfer'
Found 'CacheHost' in 'Software\Kazaa\Transfer'
Found 'CachePort' in 'Software\Kazaa\Transfer'
Found 'CountryCode' in 'Software\Kazaa\UserDetails'
Found 'DatabaseDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'DlDir0' in 'Software\Kazaa\Transfer'
Found 'DownloadDir' in 'SOFTWARE\Kazaa\LocalContent'
Found 'AutoConnected' in 'Software\Kazaa\UserDetails'
Found 'firewall_filter' in 'Software\Kazaa\ResultsFilter'
Found 'SkinsDir' in 'Software\Kazaa\Skins'
Found 'NoUploadLimitWhenIdle' in 'Software\Kazaa\Transfer'
Found 'UserName' in 'Software\Kazaa\UserDetails'
Found 'ListenPort' in 'SOFTWARE\Kazaa'
Found 'network_config' in 'SOFTWARE\Kazaa'
Found 'UDP_probe_successes' in 'SOFTWARE\Kazaa'
Found 'time' in 'SOFTWARE\Kazaa\Bandwidth\LastEstimate'
Found 'KazaaNet' in 'SOFTWARE\Kazaa\ConnectionInfo'
Found '' in 'Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1'
Found '' in 'SOFTWARE\MyWay'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinMX'
Found '' in 'SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run'
Internet URL Shortcuts
Files and Directories
Found 'winmx331.exe' in 'C:\Documents and Settings\James Schmelzer\Desktop\Unused Desktop Shortcuts'
Found '' in 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX'
Found '' in 'C:\Program Files\WinMX'
Found 'errcatch.exe' in 'C:\Program Files\WinMX'
Found 'uninstall.exe' in 'C:\Program Files\WinMX'
Found 'WinMX.exe' in 'C:\Program Files\WinMX'
Found 'Date.ico' in 'C:\WINDOWS\SYSTEM32'
Found 'network.ico' in 'C:\WINDOWS\SYSTEM32'
Found 'pharm.ico' in 'C:\WINDOWS\SYSTEM32'
Finished Scanning
Started Backup
Finished Backup
Started Cleaning
Checking for 'C:\Documents and Settings\James Schmelzer\Desktop\Unused Desktop Shortcuts\winmx331.exe' in shortcut areas.
Checking for 'C:\Documents and Settings\James Schmelzer\Desktop\Unused Desktop Shortcuts\winmx331.exe' in startup areas.
Cleaning 'C:\Documents and Settings\James Schmelzer\Desktop\Unused Desktop Shortcuts\winmx331.exe'
Checking for 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX' in shortcut areas.
Checking for 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX' in startup areas.
Cleaning 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX'
Checking for 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX\WinMX.lnk' in shortcut areas.
Checking for 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX\WinMX.lnk' in startup areas.
Cleaning 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX\WinMX.lnk'
Checking for 'C:\Program Files\WinMX' in shortcut areas.
Checking for 'C:\Program Files\WinMX' in startup areas.
Cleaning 'C:\Program Files\WinMX'
Checking for 'C:\Program Files\WinMX\colors.dat' in shortcut areas.
Checking for 'C:\Program Files\WinMX\colors.dat' in startup areas.
Cleaning 'C:\Program Files\WinMX\colors.dat'
Checking for 'C:\Program Files\WinMX\contacts.dat' in shortcut areas.
Checking for 'C:\Program Files\WinMX\contacts.dat' in startup areas.
Cleaning 'C:\Program Files\WinMX\contacts.dat'
Checking for 'C:\Program Files\WinMX\errcatch.exe' in shortcut areas.
Checking for 'C:\Program Files\WinMX\errcatch.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\errcatch.exe'
Checking for 'C:\Program Files\WinMX\library.dat' in shortcut areas.
Checking for 'C:\Program Files\WinMX\library.dat' in startup areas.
Cleaning 'C:\Program Files\WinMX\library.dat'
Checking for 'C:\Program Files\WinMX\license.txt' in shortcut areas.
Checking for 'C:\Program Files\WinMX\license.txt' in startup areas.
Cleaning 'C:\Program Files\WinMX\license.txt'
Checking for 'C:\Program Files\WinMX\settings.dat' in shortcut areas.
Checking for 'C:\Program Files\WinMX\settings.dat' in startup areas.
Cleaning 'C:\Program Files\WinMX\settings.dat'
Checking for 'C:\Program Files\WinMX\uninstall.exe' in shortcut areas.
Checking for 'C:\Program Files\WinMX\uninstall.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\uninstall.exe'
Checking for 'C:\Program Files\WinMX\WinMX.exe' in shortcut areas.
Found 'WinMX.lnk' in 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX\'
Found 'WinMX.lnk' in 'C:\Documents and Settings\James Schmelzer\Desktop\'
[SCANMODS] The file 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX\WinMX.lnk' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\WinMX\WinMX.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\WinMX.exe'
Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in shortcut areas.
Checking for 'C:\Program Files\WinMX\wpnpchannelcmds.txt' in startup areas.
Cleaning 'C:\Program Files\WinMX\wpnpchannelcmds.txt'
Checking for 'C:\Program Files\WinMX\errcatch.exe' in shortcut areas.
Checking for 'C:\Program Files\WinMX\errcatch.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\errcatch.exe'
[SCANMODS] The file 'C:\Program Files\WinMX\errcatch.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\WinMX\uninstall.exe' in shortcut areas.
Checking for 'C:\Program Files\WinMX\uninstall.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\uninstall.exe'
[SCANMODS] The file 'C:\Program Files\WinMX\uninstall.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\WinMX\WinMX.exe' in shortcut areas.
Found 'WinMX.lnk' in 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX\'
Found 'WinMX.lnk' in 'C:\Documents and Settings\James Schmelzer\Desktop\'
[SCANMODS] The file 'C:\Documents and Settings\James Schmelzer\Start Menu\Programs\WinMX\WinMX.lnk' was not found. Most likely already cleaned by another scanner module.
[SCANMODS] The file 'C:\Documents and Settings\James Schmelzer\Desktop\WinMX.lnk' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\Program Files\WinMX\WinMX.exe' in startup areas.
Cleaning 'C:\Program Files\WinMX\WinMX.exe'
[SCANMODS] The file 'C:\Program Files\WinMX\WinMX.exe' was not found. Most likely already cleaned by another scanner module.
Checking for 'C:\WINDOWS\SYSTEM32\Date.ico' in shortcut areas.
Checking for 'C:\WINDOWS\SYSTEM32\Date.ico' in startup areas.
Cleaning 'C:\WINDOWS\SYSTEM32\Date.ico'
Checking for 'C:\WINDOWS\SYSTEM32\network.ico' in shortcut areas.
Checking for 'C:\WINDOWS\SYSTEM32\network.ico' in startup areas.
Cleaning 'C:\WINDOWS\SYSTEM32\network.ico'
Checking for 'C:\WINDOWS\SYSTEM32\pharm.ico' in shortcut areas.
Checking for 'C:\WINDOWS\SYSTEM32\pharm.ico' in startup areas.
Cleaning 'C:\WINDOWS\SYSTEM32\pharm.ico'
Finished Cleaning

Spysweeper:
********
6:32 PM: |••• Start of Session, Friday, July 29, 2005 •••|
6:32 PM: Spy Sweeper started
6:32 PM: Sweep initiated using definitions version 492
6:32 PM: Starting Memory Sweep
6:32 PM: Memory Sweep Complete, Elapsed Time: 00:00:27
6:32 PM: Starting Registry Sweep
6:32 PM: Registry Sweep Complete, Elapsed Time:00:00:07
6:32 PM: Starting Cookie Sweep
6:32 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
6:32 PM: Starting File Sweep
6:35 PM: File Sweep Complete, Elapsed Time: 00:03:02
6:35 PM: Full Sweep has completed. Elapsed time 00:03:43
6:35 PM: Traces Found: 0

Ewido:
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:31:35 PM, 7/29/2005
+ Report-Checksum: B8B09C5D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup


::Report End
  • 0

#18
boilmakrjs

boilmakrjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
YESSS...I am finally able to update the definitions on my computer. The computer that holds that main connection in our house "crashed", but it is fixed and now I am able to update. I will re-run everything and re-post all the new results a.s.a.p.

And also, although the computer only found one virus while in safe mode..Ad-aware (after the updates) found about 100 objects and Spybot found 53, 45 of those being of SmitFraud and were not fixable by Spybot.

:tazz:

Edited by boilmakrjs, 29 July 2005 - 08:05 PM.

  • 0

#19
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Once you have updated all the programs, just let them handle what they can with the same settings as earlier :tazz:

It will clear up most of the junk.

- Rawe ;)
  • 0

#20
boilmakrjs

boilmakrjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
I just finished up re-doing everything and nothing has changed...well Spybot only found 41 instances of smitfraud but that is the only change...Here is the current HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:48:48 AM, on 7/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Hardware\Mouse\Amoumain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\UltraMon\UltraMon.exe
C:\Documents and Settings\James Schmelzer\Desktop\security suite\ewidoctrl.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\UltraMon\UltraMonTaskbar.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\James Schmelzer\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://finance.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\Hardware\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [UltraMon] "C:\Program Files\UltraMon\UltraMon.exe" /auto
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) -
O16 - DPF: {62360003-D8A7-418B-9DC6-2B9DE95273A0} (MS Investor Ticker) - http://fdl.msn.com/p...0502/ticker.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093622573888
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installen...gine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors...ocx/plotwon.ocx
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,15/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\James Schmelzer\Local Settings\Temporary Internet Files\Content.IE5\8DYVC1M7\cwshredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\James Schmelzer\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\James Schmelzer\Desktop\security suite\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#21
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe. Also please empty out your Norton's quarantine first.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files
Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

DON'T put a check next to registry.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

- Rawe :tazz:
  • 0

#22
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Do you use Kazaa..?
Noticed it from your Trend Micro log. And it really isn't recommended. Comes bundled with malware and is likely one of the reasons you have this infection.

Can you please uninstall it for now from the Add/Remove programs, also make sure to delete the folder.

Empty recycle bin out.

I'll give ya a source of info for clean/infected P2P file sharing programs once we get you clean.

- Rawe :tazz:
  • 0

#23
boilmakrjs

boilmakrjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Yea I had it from back in the day, but since I hardly used it I put it in my unused desktop icons folder and kinda forgot about it.

I also attached the log from the MWav scan, I believe we now have only 640 infected files, and 170 viruses detected. 1 down 170 more to go :tazz:

Attached Files


  • 0

#24
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok..
Can you do this as a next step.
Completely clear out Norton's quarantine. Then;

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

Completely uninstall Kazaa if you didn't do it yet.

If you still have SpySweeper, let it update and run the scan - YET AGAIN.
Let it remove anything it finds but don't post the log.

Completely delete this file if present; C:\WINDOWS\GatorPatch.log

Run CleanUp!
and reboot again.

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
- Rawe :tazz:
  • 0

#25
boilmakrjs

boilmakrjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
When I go to the control panel there is no Java icon. I actually had to download Java WebStart this summer for an investing program. Should I try to use that instead?
  • 0

Advertisements


#26
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, just forget that step. Delete the file, run cleanup,
run the spysweeper and the online scan. Post the results.
  • 0

#27
boilmakrjs

boilmakrjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Here are the results of the scan:
-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Saturday, July 30, 2005 16:02:04
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/07/2005
Kaspersky Anti-Virus database records: 132983
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 35159
Number of viruses found: 23
Number of infected objects: 80
Number of suspicious objects: 0
Duration of the scan process: 1856 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\198F6BEA Infected: Email-Worm.Win32.Mydoom.a
C:\Program Files\Norton AntiVirus\Quarantine\1CD2040F Infected: Email-Worm.Win32.Mydoom.a
C:\Program Files\Norton AntiVirus\Quarantine\1F7C0786 Infected: Trojan-Downloader.Win32.Small.gr
C:\Program Files\Norton AntiVirus\Quarantine\2CC643A1/doc.scr Infected: Email-Worm.Win32.Mydoom.a
C:\Program Files\Norton AntiVirus\Quarantine\2CC643A1 Infected: Email-Worm.Win32.Mydoom.a
C:\Program Files\Norton AntiVirus\Quarantine\379672A3.EXE Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton AntiVirus\Quarantine\4E6271E5.exe Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton AntiVirus\Quarantine\4E6845DE.exe Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton AntiVirus\Quarantine\4E6C6FDB.exe Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton AntiVirus\Quarantine\4E6F19D7.exe Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton AntiVirus\Quarantine\4F0C5212.exe Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton AntiVirus\Quarantine\63776D9B.exe Infected: Trojan.Win32.SecondThought.a
C:\Program Files\Norton AntiVirus\Quarantine\7818542F Infected: Email-Worm.Win32.Mydoom.a
C:\Program Files\Norton AntiVirus\Quarantine\79313D80.mpg Infected: P2P-Worm.Win32.Banuris.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\024B0697.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\02690077.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\029D203E.cla Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\029D203E.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\029D203E.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\029D203E.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\029D203E.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\029D203E.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\029D203E.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\02BD5508.cla Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\06747E04.cla Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\06747E04.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\06747E04.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\06747E04.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\06747E04.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\09A14FC3.exe Infected: Trojan-Downloader.Win32.Apropo.r
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\09BB1FA7.exe Infected: Trojan-Clicker.Win32.VB.ex
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0AE809F7.exe Infected: Trojan.Win32.Small.ev
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0CF36F04.exe Infected: Trojan-Downloader.Win32.Apropo.r
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0F4600A9.exe Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0F565297.dll Infected: Trojan-Downloader.Win32.IstBar.gk
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\14B76A28.cla Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\17417D87.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\17475180.cla Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\174A7B7C.cla Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\174E2579.cla Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\19992DBE.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1F2578D6.exe Infected: Trojan.Win32.Small.ev
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\20203C22.exe Infected: Backdoor.Win32.SdBot.gen
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3508612E.cla Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3A190CE5.exe Infected: Trojan.Win32.Small.ev
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3B1D4D5D.cla Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\41457602.cla Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\426156A3.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\426156A3.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\426156A3.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\426156A3.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\42BF3F60.exe Infected: Trojan.Win32.Small.ev
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\42F0729D.exe Infected: Trojan-Clicker.Win32.VB.ex
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\469F6047.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46BD5A27.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46C32E1F.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46C32E1F.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46C32E1F.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46C32E1F.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46C32E1F.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46C6581C.cla Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46CA0218.cla Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46CD2C15.cla Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46D4000D.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46FB77E2.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46FB77E2.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46FB77E2.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46FB77E2.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46FB77E2.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\47DC48EA.cla Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\47DC48EA.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\47DC48EA.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\47DC48EA.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\47DC48EA.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\49862EC6.exe Infected: Trojan.Win32.Small.ev
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\56132C88.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\646A3D48.exe Infected: Trojan-Dropper.Win32.Agent.hv
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\646E6744.exe Infected: Trojan-Downloader.Win32.IstBar.ir
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6E0C41AA.htm Infected: Exploit.HTML.CodeBaseExec
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\76614FD6.cla Infected: Trojan.Java.ClassLoader.Dummy.a

Scan process completed.

I noticed that these are all "quarantined" files from Norton, but when I open up Norton it says that there are no quarantined items...am I supposed to be going directly into program files and deleting them from there?
  • 0

#28
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Yes please, boot up into Safe Mode,
go here; C:\Program Files\Norton AntiVirus\Quarantine\

Delete all of it's content. Run CleanUp!
and reboot into normal mode. Take a new Kaspersky scan and let me know how's it running now.

- Rawe :tazz:
  • 0

#29
boilmakrjs

boilmakrjs

    Member

  • Topic Starter
  • Member
  • PipPip
  • 24 posts
Good news, after deleting those files Kaspersky came out clean and my computer is running like it normally should. The only problems I have right now is that my Outlook won't connect to the Internet and also my screen (fonts and programs displays) are looking like they are from back in the day. I remember in one program we restored everything to their original hosts...is that why? Am I able to get back in Windows XP settings like they were before or am I stuck for now?

Thank you again for all your help, it feels nice to have a computer again :tazz:
  • 0

#30
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts

my screen (fonts and programs displays) are looking like they are from back in the day.  Am I able to get back in Windows XP settings like they were before or am I stuck for now?


What do you mean by this? Can you clarify a little please.. I'm glad to help! ;)

- Rawe :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP