Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Nail, BookedSpace, etc - please help [RESOLVED]


  • This topic is locked This topic is locked

#1
unklebob

unklebob

    New Member

  • Member
  • Pip
  • 5 posts
Hi there

I got tons of spyware etc suddenly install on my PC in one go. I was probably online for 30 mins before I pulled the plug on my internet connection.

I've gone through the steps as advised on this site. I've hardly been back on the net since (I'm using a different PC now) - only reconnected to get updates for software.

I also updated from XP home to SP2, which I realise now was a mistake, but I did that before finding this site.

I've since used Cleanup, cwshredder, adaware, spybot S&D, ewido and TrojanHunter. Early on, I also used my Norton AntiVirus 2005, which was totally useless as far as I could tell. I have disabled it while Ewido is installed. I also edited the registry to get rid of Surfsidekick (instructions were on the Symantec site). Overall, most of the nasties have gone, I think, but it looks like I'm not clean just yet.

If anyone can help me out, I'd be eternally grateful!

Thanks,

Rob


Ewido log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:45:29, 14/08/2005
+ Report-Checksum: 5C3D487A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1812864381-4086601109-1325006524-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
[1300] C:\WINDOWS\system32\DrPMon.dll -> Adware.BetterInternet : Cleaned with backup
[2468] C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Error during cleaning
[216] C:\WINDOWS\system32\lodzgm.exe -> Trojan.Agent.cp : Cleaned with backup
C:\Documents and Settings\Windows user\Cookies\windows user@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc12.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc13.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc16.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc17.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc2.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc24.exe -> TrojanDownloader.Apropo.ae : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc26.exe -> Spyware.Apropos : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc3.exe -> Spyware.Pacer : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc34\casstub.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc5.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc62.dll -> Spyware.EliteBar : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc63.exe -> Spyware.EliteBar : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc65.dll -> Spyware.EliteBar : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc66.exe -> Spyware.EliteBar : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc67.dll -> Spyware.EliteBar : Cleaned with backup
C:\RECYCLER\S-1-5-21-1812864381-4086601109-1325006524-500\Dc68.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP48\A0002739.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002759.exe -> TrojanDownloader.QDown.z : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002760.exe -> TrojanDownloader.Qoologic.v : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002767.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002774.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002775.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002784.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002789.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002791.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002796.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002797.dll.tcf -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002798.dll.tcf -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002799.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002800.dll.tcf -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002801.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002965.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002970.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP50\A0002972.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP51\A0005264.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP51\A0005275.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP51\A0005288.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP51\A0005292.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP51\A0005293.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP51\A0005307.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP51\A0005309.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP51\A0005311.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP53\A0005526.exe -> TrojanDownloader.Small.ayh : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP53\A0005883.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP53\A0005884.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP53\A0005890.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005901.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005908.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005946.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005957.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005973.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005990.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005991.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\betjrizmdum.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\lodzgm.exe -> Trojan.Agent.gp : Cleaned with backup
C:\WINDOWS\system32\nsn412.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup


::Report End


Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 20:52:13, on 14/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\WinPortrait\floater.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.24-7searc...ore.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.24-7searc...ore.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.24-7searc...ore.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [PowSet] Wscript.exe //e:VBS C:\Drivers\Setpow.nec
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [v32P36X] jgawiz.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.
  • 0

#3
unklebob

unklebob

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Sam!

Thanks for the response. The log is below. Please help!

Also, I get the following error message on boot-up:

Error loading C:\windows\cfgmgr52.dll The specified module could not be found
Best regards,

Rob

Logfile of HijackThis v1.99.1
Scan saved at 18:30:29, on 18/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.24-7searc...ore.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.24-7searc...ore.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.24-7searc...ore.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [PowSet] Wscript.exe //e:VBS C:\Drivers\Setpow.nec
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [v32P36X] jgawiz.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
First I need you to download and prepare some tools(any that you don't already have) that we will need to remove the infection that you have.
  • Please download Ewido Security Suite
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck..
      • Install background guard
      • Install scan via context menu
    • Launch ewido, there should be an icon on your desktop, double-click it.
    • You will need to update ewido to the latest definition files.
      • On the left hand side of the main screen click update.
      • Then click on Start Update.
    • The update will start and a progress bar will show the updates being installed.
      (the status bar at the bottom will display "Update successful")
    • Exit ewido. DO NOT scan yet.
    If you are having problems with the updater, you can use this link to manually update ewido.
    Ewido Manual Updates

  • Please download CCleaner
    Install it, but do not run it yet.

  • Please download Nailfix Utility
    Save it to your desktop, but do not run it yet.

==============


Now that you have the right tools we can start fixing your problem.
Please print out these instructions as the rest of this fix must be done in Safe mode and you won't be able to access the Internet.

Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


==============


Once in Safe mode, please follow these steps:
  • Double-click on nailfix.exe.
    Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
    Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

  • Now open ewido and do a scan of your system.
    • Click on scanner
    • Click on Complete System Scan and the scan will begin.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now as the action.
    • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report.
    • Save the report .txt file to your desktop or a location where you can find it easily.

  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.


    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.24-7searc...ore.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.24-7searc...ore.com/sp2.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.24-7searc...ore.com/sp2.php
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
    O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
    O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
    O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
    O4 - HKLM\..\Run: [v32P36X] jgawiz.exe
    O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"


  • Delete these files, if found.

    C:\WINDOWS\Nail.exe
    C:\WINDOWS\ALCMTR.EXE
    C:\WINDOWS\System32\exp.exe
    C:\WINDOWS\System32\wintask.exe
    C:\WINDOWS\cfgmgr52.dll
    C:\WINDOWS\System32\lanbrup.exe
    C:\Program Files\Cas <-- delete this folder.
    jgawiz.exe



  • Now run CCleaner.
    • Uncheck "Cookies" under "Internet Explorer".
    • If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
    • Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the report log from the Ewido scan by using Add Reply
  • 0

#5
unklebob

unklebob

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Ok, done that.

Here are the 2 new logs:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 05:12:26, 19/08/2005
+ Report-Checksum: A6D199EC

+ Scan result:

C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005996.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005997.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005998.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0005999.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006000.exe.tcf -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006001.exe -> TrojanDownloader.Apropo.ae : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006002.exe -> Spyware.Apropos : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006003.exe.tcf -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006004.exe.tcf -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006005.exe.tcf -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006006.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006007.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006008.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006009.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006010.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006011.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP54\A0006012.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP55\A0006128.dll -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP55\A0006130.exe -> Trojan.Agent.gp : Cleaned with backup
C:\System Volume Information\_restore{98E46F0A-9DA1-4258-92C4-7CCAE5D21E6E}\RP58\A0007217.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Nail.exe.tcf -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Nail.exe548.tcf -> Adware.BetterInternet : Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 05:38:59, on 19/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111.exe
C:\Program Files\Wacom\TabUserW.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\WinPortrait\floater.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.24-7searc...ore.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.24-7searc...ore.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.24-7searc...ore.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [PowSet] Wscript.exe //e:VBS C:\Drivers\Setpow.nec
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
  • 0

#6
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.24-7searc...ore.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.24-7searc...ore.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.24-7searc...ore.com/sp2.php
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"



Reboot and post a new hijackthis log.
  • 0

#7
unklebob

unklebob

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
New log:

Logfile of HijackThis v1.99.1
Scan saved at 23:02:57, on 19/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\Powercinema\PCMService.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111.exe
C:\Program Files\Wacom\TabUserW.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\WinPortrait\floater.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [ATIPTA] C:\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PCMService] "c:\Apps\Powercinema\PCMService.exe"
O4 - HKLM\..\Run: [PowSet] Wscript.exe //e:VBS C:\Drivers\Setpow.nec
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\ScanSoft\NaturallySpeaking\Program\Ereg.exe" -r "C:\Program Files\ScanSoft\NaturallySpeaking\Program\ereg.ini"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O4 - Global Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Portrait Displays\forteManager\dtsrvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
  • 0

#8
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log looks clean to me. :tazz:

How are things on your end? Any problems?
  • 0

#9
unklebob

unklebob

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Looking good here, Sam! I've connected to the net and so far the nasties are absent.

Many thanks for helping me out of my hole. You guys do a great job and I hope you can all keep battling the bad guys. I really appreciate your kindness.

I've made a small donation via the paypal link on your sig.

All the best!

Rob
  • 0

#10
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Thanks! I'm glad I could help! :)

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:tazz: :)
  • 0

#11
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP