Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

fake Windows Security Center issues [RESOLVED]


  • This topic is locked This topic is locked

#1
[O]siris

[O]siris

    New Member

  • Member
  • Pip
  • 5 posts
Hey guys

I've been having problems for a while with two different pop-ups posing as windows security center warnings, and they never sem to go away.

I've read a few topics here dealing with the same thing to try and deal with this, but it keeps coming back so I figured I'd just post my own specific problem and hopefully you can help me out.

Okay, problem 1...

Every ten minutes or so, I get this error message pop-up (complete with sound FX) that says:

"WARNING: Windows Firewall detected suspicious network activiy on your computer. Malicious software codes try to steal your privacy information, such as credit card numbers, electronic mail accounts, financial data or passwords.

Do you want to learn how to protect your computer?"

complete with a 'yes' or 'no' button, which if you click 'yes' it *surprise* goes to a convenient site to get some spyware protection.

It's pretty obvious it's fake, but I just can't get rid of it.

The other problem...

Every fifteen minutes or so, a yellow WSC ballon pops up in the task bar that reads exactly:

"Your Computer Might be at risk

*Your virus protection status is bad
*Spyware Activity Detected

Click this baloon to fix this problem."

Hmmm.... Guess it's too much trouble to run spell check these days...

Anyways, can't get rid of this one either.

I never click on these, so it's more a matter of annoyance than anything.

Things I've done...

I have both Adaware and Spybot S&D and run both pretty frequently.

I have Norton Anti-Virus, which doesn't help much.

A suggestion to another person with a similar problem by someone on here, I downloaded Ewido Security suite and have run it more than a few times.

I've even done a few online virus scans, most recently of which was the Panda Active scan.

I also have a hijackthis log which I'll post in a sec.

Also, if its relevant, I have both Kazaa Lite and Limewire, could be a problem?

Anyways, thanks for your help in advance.

Here is my hijackthis log:
Attached File  hijackthis1.txt   5.99KB   152 downloads

Thanks again!
  • 0

Advertisements


#2
Guest_thatman_*

Guest_thatman_*
  • Guest
Please don't post any attachments unless you are asked to do so.

Logfile of HijackThis v1.99.1
Scan saved at 9:40:25 PM, on 8/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{580FB66B-AF5F-47F4-A684-7BD861F4A1A7}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7EB880F-270B-4CA2-BB1E-F7872548A663}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECBD6FC7-C09A-4171-B61F-4A7B11B388A8}: NameServer = 69.50.176.157,85.255.112.6
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#3
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi [O]siris

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware se.
Click Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an check in the boxes, only next to these following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O1 - Hosts: localhost 127.0.0.1

Click on Fix Checked when finished and exit HijackThis.

Run Ad-aware se let it remove all it finds

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Please download, install and run this disk cleanup utility called Cleanup version 4.0!: http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage: http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.When the scan has finnished click the close button
When prompted the system will log off to let it clean out the remaining files. when the log screen shows log back on and continue the fix.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz:
  • 0

#4
[O]siris

[O]siris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey man, thanks for the help.

Alright....

Here is my Panda ActiveScan log:


Incident                      Status                        Location                                                                                                                                                                                                                                                       

Adware:adware/quicksearch    No disinfected                C:\PROGRAM FILES\QuickSearch                                                                                                                                                                                                                                   
Adware:adware/cws            No disinfected                C:\DOCUMENTS AND SETTINGS\OSIRIS\FAVORITES\Fun & Games                                                                                                                                                                                                         
Adware:adware/savenow        No disinfected                Windows Registry                                                                                                                                                                                                                                               
Possible Virus.              No disinfected                C:\Program Files\RivaTuner\Tools\expand\expand.exe                                                                                                                                                                                                             
Possible Virus.              No disinfected                C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe                                                                                                                                                                                       
Adware:Adware/InstaFinder    No disinfected                C:\WINDOWS\system32\InstaFinder_inst245.exe                                                                                                                                                                                                                   
Adware:Adware/SAHAgent        No disinfected                C:\WINDOWS\system32\xmltok.dll
                                                                                                                                                                                                                               


And here is my new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:48:11 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.c.../npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{580FB66B-AF5F-47F4-A684-7BD861F4A1A7}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7EB880F-270B-4CA2-BB1E-F7872548A663}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECBD6FC7-C09A-4171-B61F-4A7B11B388A8}: NameServer = 69.50.176.157,85.255.112.6
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


By the way, these haven't been popping up since I started these intructions, but I would like to make sure it stays that way. Following instructions people have given to other posters, I got rid of them (I thought) for a day or two or so, but they came back, so if we can get rid of them for good, by all means, put me to work.

Anyways, thank you again for your help. I didn't realize this place gets like 300 new posts like every hour or so, so thanks for taking the time.

...Too bad they don't have a beer emoticon. (;

Edited by [O]siris, 11 August 2005 - 12:04 AM.

  • 0

#5
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi [O]siris

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download and install AD-Aware se.
Click Here on how setup and use it - please make sure you update it first. Don't run yet.

Download Pocket Killbox and unzip it; save it to your Desktop. We may need it later.

Download Ewido Trojan’s and malware remover http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate. Don't run yet

Reboot into Safe Mode: please see here if you are not sure how to do this.

Run Ewido full scan. Save the scan.log.

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Run Ad-aware se let it remove all it finds

Use windows explorer delete the following folders
C:\PROGRAM FILES\QuickSearch<--Delete this folder
C:\DOCUMENTS AND SETTINGS\OSIRIS\FAVORITES\Fun & Games<--Delete this folder

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer (Yes.)
C:\WINDOWS\system32\InstaFinder_inst245.exe
C:\WINDOWS\system32\xmltok.dll


Let the system reboot as normal.

Post the scan log from ewido

Please run the following free, online virus scans.
http://enterprises.p...l_companies.htm
Please post the log From Panda virus scan. We will need them to remove previous infections that have left files on your system.

Run HijackThis and post the new log.

Kc :tazz: ;)
  • 0

#6
[O]siris

[O]siris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sorry about taking so long, I've been busy over the weekend and haven't had a chance to catchup on this.

I will post everything tomorrow for you.

Thanks again.

:tazz:
  • 0

#7
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi [O]siris

How are you finnished with this topic.

Kc :tazz:
  • 0

#8
[O]siris

[O]siris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Yeah, man. Sorry about that. I just got a new job and have been busy getting everything situated with that.

ANyways, here is my hijackthis log...

Logfile of HijackThis v1.99.1
Scan saved at 9:29:28 PM, on 8/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{580FB66B-AF5F-47F4-A684-7BD861F4A1A7}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7EB880F-270B-4CA2-BB1E-F7872548A663}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECBD6FC7-C09A-4171-B61F-4A7B11B388A8}: NameServer = 69.50.176.157,85.255.112.6
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

And here is my Ewido log...

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:  	7:05:01 PM, 8/18/2005
 + Report-Checksum:  EFEB7644

 + Scan result:

	:mozilla.47:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
	:mozilla.49:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.50:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
	:mozilla.51:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.52:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.53:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.54:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.55:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.56:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.57:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.58:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.59:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.60:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.61:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.62:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.63:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.64:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.65:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.66:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.67:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.68:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.69:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.70:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.71:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.72:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.73:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.74:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.75:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.76:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.77:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
	:mozilla.78:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.79:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.80:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.81:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.83:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.84:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.85:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.87:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.88:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.89:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.90:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.91:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.92:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.93:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.94:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.95:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.96:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
	:mozilla.99:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
	:mozilla.100:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
	:mozilla.107:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
	:mozilla.115:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
	:mozilla.116:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
	:mozilla.117:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
	:mozilla.118:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
	:mozilla.119:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
	:mozilla.122:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
	:mozilla.123:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
	:mozilla.124:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
	:mozilla.125:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
	:mozilla.126:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
	:mozilla.127:C:\Documents and Settings\Osiris\Application Data\Mozilla\Firefox\Profiles\0ktub8iq.default\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
	:mozilla.8:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
	:mozilla.17:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
	:mozilla.31:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
	:mozilla.32:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
	:mozilla.33:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
	:mozilla.34:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
	:mozilla.35:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
	:mozilla.36:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
	:mozilla.37:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
	:mozilla.38:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
	:mozilla.41:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
	:mozilla.45:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
	:mozilla.46:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
	:mozilla.47:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
	:mozilla.49:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
	:mozilla.50:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
	:mozilla.60:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
	:mozilla.61:C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup


::Report End

I'm in the middle of running the Panda active scan, so I will post ASAP.

I haven't been having problems with these as of late, and I'd like to make sure it stays that way, so anything else I should do to kill this once and for all?

Thanks again for your help and patience! :tazz:
  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi

Please check you IP address

Delete with HijackThis.
O17 - HKLM\System\CCS\Services\Tcpip\..\{580FB66B-AF5F-47F4-A684-7BD861F4A1A7}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7EB880F-270B-4CA2-BB1E-F7872548A663}: NameServer = 69.50.176.157,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{ECBD6FC7-C09A-4171-B61F-4A7B11B388A8}: NameServer = 69.50.176.157,85.255.112.6

Posts a new HJT.log

69.50.176.157<--Know [bleep] site
Host reachable, 165 ms. average

69.50.160.0 - 69.50.191.255
Atrivo
200 Paul Avenue
San Francisco
CA
94124
United States

Kacperski, Emil
+1-925-550-3947
abuse@atrivo.com

Abuse:
Abuse Department
+1-925-550-3947
abuse@atrivo.com

MAIL.ATRIVO.COM
PAVEL.ATRIVO.COM

ATRIVOTECHNOLOGIES
Created: 2003-06-04
Updated: 2003-08-21
Source: whois.arin.net

Kiev, 03186, Ukraine <--Do you live here
85.255.112.6
Host reachable, 100 ms. average

85.255.112.0 - 85.255.127.255
Inhoster hosting company
OOO Inhoster, ul.Antonova 5, Kiev, 03186, Ukraine
Abuse notifications to: abuse@inhoster.com

Andrei Kislizin
OOO Inhoster,
ul.Antonova 5, Kiev,
03186, Ukraine
phone: +38 044 2404332

Fast Web Hosting Support
01110, Ukraine, Kiev, 20Á, Solomenskaya street. room 201.
UA
phone: +357 99 117759
support@fwebhost.com

EstHost
Source: whois.ripe.net

Kc :tazz:
  • 0

#10
[O]siris

[O]siris

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey again.

I really have no idea what to make of those.

And no, I'm not from the Ukraine, I'm from the U.S.

Sorry, but in the area of IPs and the like, I'm a little ignorant. So please spare no details and actions I should take.

Thanks and here's my updated hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:20:53 PM, on 8/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\ABIT\ABIT uGuru\uGuru_Event_Receiver.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\ABIT\ABIT uGuru\ABITEQ.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.yahoo.com/"); (C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Osiris\Application Data\Mozilla\Profiles\default\m6723dhp.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ABIT uGuru] C:\Program Files\ABIT\ABIT uGuru\uGuru.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ResChanger2004] C:\Program Files\eVGA\ResChanger2004\ResChanger2004.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {E36C5562-C4E0-4220-BCB2-1C671E3A5916} (Seagate SeaTools English Online) - http://www.seagate.com/support/disc/asp/tools/en/bin/npseatools.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Hmmm. Now I'm all intrigued...
  • 0

#11
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi [O]siris

Your HJT.log is clean.
Just need to see if Panda show up any malware

BleepingComputer.com Tutorial Center this will help you on the way to understanding IP's

Tutorial Center
http://bleepingcompu.../tutorials.html

TCP and UDP Ports Explained
http://bleepingcompu...rums/tut38.html

The Domain Name System
http://bleepingcompu...rums/tut28.html

Domain Names & Hostnames
http://bleepingcompu...rums/tut29.html

IP Addresses Explained
http://bleepingcompu...rums/tut37.html

Understanding and Using Firewalls
http://bleepingcompu...rums/tut60.html

Please post a panda log with a new HJT.log

Kc :tazz:
  • 0

#12
Guest_thatman_*

Guest_thatman_*
  • Guest
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP