Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora is in the house [RESOLVED]


  • This topic is locked This topic is locked

#1
jrhines

jrhines

    New Member

  • Member
  • Pip
  • 4 posts
I have a W2K OS with the ABI adware firmly entrenched. I have gone through the steps 1 to 4 of the "Start Here" post and have attached the first scan of HJT.
Standing tall, awaiting instructions....

J.Rhines
Seneca, MD

Attached Files


  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi jrhines and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

When you post your HiJackThislog can you please copy and paste, instead of attaching.
Thanks. :tazz:

Please print out or copy this page to Notepad . Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix.
  • Download DSRFIX from HERE onto your Desktop.
    • Unzip and EXTRACT the files to your Desktop.
    • The program creates and names the new folder to house the files.
    • DO NOT RUN IT YET
  • Download Cleanup from Here (Alternate site if the above is not working Go Here)
    • A window will open and choose SAVE, then DESKTOP as the destination.
    • On your Desktop, click on Cleanup40.exe icon.
    • Then, click RUN and place a checkmark beside "I Agree"
    • Then click NEXT followed by START and OK.
    • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    • Click OK
    • DO NOT RUN IT YET
  • CLOSE INTERNET EXPLORER, if it is open


  • Open the folder dsrfix
    • Double click on the dsrfix batch file( the one with the little gear in it )
    • Once dsrfix has completed it will close on its own
  • Run Cleanup
    • Click on the "Cleanup" button and let it run.
    • Once its done, close the program.
  • REBOOT your system.


  • Please restart HJT and post back a fresh HJT log for review.

  • 0

#3
jrhines

jrhines

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Done, here is the HJT log - enjoy!!

Logfile of HijackThis v1.99.1
Scan saved at 3:25:20 PM, on 8/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
c:\winnt\SvcProc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\USBStorage\USBDetector.exe
C:\Program Files\Common Files\Symantec Shared\Security

Center\UsrPrmpt.exe
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\HJT\HijackThis.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\system32\ntvdm.exe
C:\Palm\HOTSYNC.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =

Microsoft Internet Explorer provided by Comcast
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no

file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class -

{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio -

{8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]

C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common

Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program

Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt

Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt

Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program

Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [mgydve] c:\winnt\system32\khedffo.exe r
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IECHECK.EXE] C:\WINNT\iecheck.exe
O4 - HKCU\..\Run: [X-IM] C:\Program Files\X-IM\xim.exe /r
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk =

C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program

Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program

Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program

Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF -

res://C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646}

- http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O12 - Plugin for .hlq: C:\Program Files\Internet

Explorer\PLUGINS\nphcd32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) -

http://go.microsoft....k/?linkid=39204
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -

C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) -

VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -

C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) -

Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program

Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec

Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner -

c:\winnt\SvcProc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi jrhines,

Right click on the Microsoft/Giant AntiSpyware icon (looks like a target) and click on Security Agents Status (Enabled) and click on Disable Real-time Protection. To re enable it after the fix, you follow the same steps but click on Enable Real-time Protection.

Are you familiar, or have you installed this program?:O4 - HKCU\..\Run: [X-IM] C:\Program Files\X-IM\xim.exe /r


DOWNLOAD PROGRAMS


Please update your Ewido if you haven't already done so. Thanks :tazz:

Please download Nailfix from Here
please do NOT run it yet.


THE FIX


Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Go to Start->Run and type in services.msc and hit OK. Then look for System Startup Service (SvcProc) and double click on it. Click on the Stop button and under Startup type, choose Disabled. (if present)

5. Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click “Kill process” for each one (If they still exist)

C:\WINNT\Nail.exe

6. Once in Safe Mode, please double-click on
Nailfix.exe on your desktop. Click next, then finished. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

7. Now open and run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
  • When the scan is finished, look at the bottom of the screen and click the Save report button.
  • Save the report to your desktop
Close Ewido

8. Close all browsers, windows and unneeded programs.

9. Open HiJack and do a scan.

10. Put a Check next to the following items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (nofile)
O4 - HKLM\..\Run: [mgydve] c:\winnt\system32\khedffo.exe r
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe


11. click the Fix Checked box

12. Run the program CleanUp!

13. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

14. Please post an Active scan log , Ewido Scan log and a fresh HiJackThis log. Let me know how your computer is running.
  • 0

#5
jrhines

jrhines

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Done - The last item on the HJT list
023 - Service: System Startup Service.......C:\winnt\SvcProc.exe
was not in the HJT scan. All the others were and were "Fixed".

Logs follow - No Active Scan, they want too much info and to down load their own material, emails, news, etc., etc.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:07:07 PM, 8/1/2005
+ Report-Checksum: 147442BD

+ Scan result:

:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Administrator\Application Data\Phoenix\Profiles\default\olfhof6a.slt\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\2DDBFBE6-4EC0-45B7-8A71-D9F49D\C391AC63-A161-43C6-BFA9-3EC23F -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\31C0D6FE-805D-4146-A23F-8799E0\3D2ADAC5-B4AC-4572-8E69-9AD2CE -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9C3C7DE3-8342-40E9-B5ED-D16A42\95B92480-D5AD-4081-B166-E1ED79 -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\BDECA96C-7031-4EF4-8249-58534C\63B50AE5-1726-4B73-91DF-6EF8A4 -> Spyware.Cookie.Onestat : Cleaned with backup
C:\RECYCLER\NPROTECT\00001694.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00001893.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00001904.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00002700.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00002703.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00002879.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003315.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003317.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003373.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003377.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003400 -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003401 -> Spyware.Cookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00003402 -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\00003403 -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\RECYCLER\NPROTECT\00003404 -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\RECYCLER\NPROTECT\00003405 -> Spyware.Cookie.Spylog : Cleaned with backup
C:\RECYCLER\NPROTECT\00003406 -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\NPROTECT\00003407 -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003408 -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\NPROTECT\00003409 -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\NPROTECT\00003410 -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\NPROTECT\00003411 -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\RECYCLER\NPROTECT\00003412 -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\RECYCLER\NPROTECT\00003413 -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\RECYCLER\NPROTECT\00003414 -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00003415 -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\NPROTECT\00003416 -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\RECYCLER\NPROTECT\00003417 -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\NPROTECT\00003418 -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\NPROTECT\00003419 -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\RECYCLER\NPROTECT\00003420 -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\NPROTECT\00003421 -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00003422 -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00003423 -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00003424 -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\00003425 -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00003426 -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\NPROTECT\00003427 -> Spyware.Cookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00003428 -> Spyware.Cookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\00003429 -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\RECYCLER\NPROTECT\00003430 -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\NPROTECT\00003431 -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\RECYCLER\NPROTECT\00003432 -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00003433 -> Spyware.Cookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\00003434.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\RECYCLER\NPROTECT\00003435.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003448.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003449.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003450.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00003451.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\cklgeb.exe -> Adware.BetterInternet : Cleaned with backup
E:\RECYCLER\NPROTECT\00000004.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
E:\RECYCLER\NPROTECT\00000005.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
E:\RECYCLER\NPROTECT\00000006.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
E:\RECYCLER\NPROTECT\00000007.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
E:\RECYCLER\NPROTECT\00000008.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup
E:\RECYCLER\NPROTECT\00000009.TXT -> Spyware.Cookie.Webtrendslive : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 6:54:00 PM, on 8/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\USBStorage\USBDetector.exe
C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\DvzCommon\DvzMsgr.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINNT\system32\ntvdm.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Mozilla\MozillaFirebird\MozillaFirebird.exe
C:\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [USBDetector] C:\USBStorage\USBDetector.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\Qurb\QSP-2.1.213.4\QOELoader.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [IECHECK.EXE] C:\WINNT\iecheck.exe
O4 - HKCU\..\Run: [X-IM] C:\Program Files\X-IM\xim.exe /r
O4 - Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O12 - Plugin for .hlq: C:\Program Files\Internet Explorer\PLUGINS\nphcd32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


=============================

So far all is well, let me run this puppy for a bit and I'll be back, as always, standing by for instructions.

Best regards,

John Rhines
Seneca, MD
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi John,

Everything looks really good! I hope you reconsider using activescan, it is a perfectly legit online scanner that I use all the time. Its very good at picking up the left overs that malware leaves behind. If i remember correctly, the only thing they wanted was an email address and country you live in. But thats up to you.

If you chose not to run Activescan:

Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected
  • 0

#7
jrhines

jrhines

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
First and foremost many thanks for all the help and assistence. You are fast and to the point and the results are all and more than anyone can expect. I am a small business owner, a gunsmith, and my card motto is "Expensive, but right!". You folks are what client service is all about.
The program Xim is a secure instant messaging app.
My network has a hardware firewall, Norton Virus and Counter Spy malware up and running, along with 4 Windows machines. I had noted when this began that the e-mail scan in Norton was disabled. When and how I'm not sure.
My son is an IT pro for a small company in Wash D.C. and has been dogging us to move over to the Mozilla suite; looks like this old dog is going to learn a new trick.
Again, thank you so much for a job done right.

Best regards,
John Rhines
Seneca, MD
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
John,

Glad to hear you will be going over to Mozilla ;)

Thanks and glad I could help.

:tazz:

Excal
  • 0

#9
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP