Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Aurora Trojan Attack [RESOLVED]


  • This topic is locked This topic is locked

#91
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
No, I don't!
  • 0

Advertisements


#92
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Good! :tazz:
  • 0

#93
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Hi Nancy and Michelle, :tazz:

Nancy please open a blank notepad window.

Copy the following bold text and paste it into that notepad window

dir %windir%\system32\*.exe /o:d >>dir.txt
dir %windir%\system32\*.exe /a:h /o:d >>dir.txt
dir %windir%\system32\*.exe /a:s /o:d >>dir.txt


Save that notepad file as dir.bat and save it as type all files.

Doubleclick on dir.bat and let it run, it'll be fast.

In the same directory as you saved dir.bat will now be a dir.txt file. Please email it to me at submit@atribune.org
  • 0

#94
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Sorry this thing is being tricky Nancy.

Lets try this hopefully this will get me the files I need.

download http://www.atribune....loads/nancy.zip

unzip it to a convenient place. Open it and run Newfiles.bat

This will create a new zip file in the same forlder as the .bat

Please email me exefiles.zip

email is submit@atribune.org
  • 0

#95
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Good morning,

I just emailed you the file :tazz:
  • 0

#96
Atribune

Atribune

    HijackThis Expert

  • Visiting Consultant
  • 956 posts
  • MVP
Hi Nancy can you repeat th last instructions again , but this time in safe mode.
  • 0

#97
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
I repeated the instructions in safe mode and emailed the file to you!
  • 0

#98
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Hello Nancy!

Thank you for e-mailing the files :tazz:

Let's see if we can get rid of them with this scan:

Please download MWav eScan

Double-click mwav.exe and unzip it to its predetermined Directory (C:\Kaspersky)

Locate "kavupd.exe" in the New Folder and Double Click to Update.

If you it says the signatures are more than 30 days old, keep trying!
Keep trying until you get the actual signatures!


When you see Updates downloaded Successfully, please press enter to continue but don't run it yet, go ahead and close it out for now.

Now go to the Kaspersky folder-> Locate and Double Click "mwavscan.com" to launch the MWAV Scanner!

Once opened-> Leave the "Default Settings ticked" and add a "tick" to "Drives"-> this will light up "All Drives"-> Add a "tick" to "Scan all Files"-> Click "Scan Clean" to begin!

This Scan may take Several Hours or more to Complete, depending on the Hard Drive Size.

Please be sure it is Completed before proceeding!

Once the Scan has finished, All entries Identified as Infected will displayed in the lower pane.

Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy.

Open a Blank Notepad Page and Paste the results (Ctrl+V) to it and Save it to your Desktop.

Please post that log into your next reply.
  • 0

#99
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi Michelle!

Here is the log:

File C:\WINNT\zwbepvp.exe tagged as not-a-virus:AdWare.BetterInternet.s. No Action Taken.
File C:\WINNT\system32\cdoxcnm.exe infected by "Trojan-Downloader.Win32.Qoologic.ac" Virus. Action Taken: File Deleted.
File C:\WINNT\system32\jeoqw.dll tagged as not-a-virus:AdWare.Adstart.c. No Action Taken.
File C:\WINNT\system32\jeoqwd.exe tagged as not-a-virus:AdWare.Adstart.i. No Action Taken.
File C:\WINNT\system32\lqgeb.dll.tcf tagged as not-a-virus:AdWare.Adstart.c. No Action Taken.
File C:\WINNT\system32\lqgebd.exe tagged as not-a-virus:AdWare.Adstart.i. No Action Taken.
File C:\WINNT\system32\ntsys.exe tagged as not-a-virus:Server-FTP.Win32.Serv-U.3016. No Action Taken.
File C:\WINNT\system32\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
File C:\WINNT\system32\ringr.zip infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\026558F2.dll tagged as not-a-virus:AdWare.CASClient.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\026802EF.exe infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\027200E4.dll infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\02752AE0.exe infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\027C7ED9.exe tagged as not-a-virus:AdWare.SafeSurfing.o. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\027F28D6.dll tagged as not-a-virus:AdWare.Look2Me.ag. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\027F28D6.exe infected by "Trojan-Downloader.NSIS.Agent.i" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\028252D2.exe infected by "Trojan.Win32.Pakes" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\02857CCE.dat infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\028926CB.dll infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\028926CB.exe tagged as not-a-virus:AdWare.BetterInternet. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\028C50C7.dll tagged as not-a-virus:AdWare.SafeSurfing.q . No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\04E7160A.exe tagged as not-a-virus:AdWare.BookedSpace.e. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\06197820.exe infected by "Trojan-Downloader.Win32.Qoologic.n" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\13420C3D.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1C6D040E.exe tagged as not-a-virus:AdWare.BetterInternet. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1D3A701D.dll tagged as not-a-virus:AdWare.Look2Me.ag. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\28CA2C1C.exe tagged as not-a-virus:AdWare.WinAD.aw. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\346772D9.dll tagged as not-a-virus:AdWare.ToolBar.ImiBar.g. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\350129A8.exe infected by "Trojan-Downloader.Win32.VB.kq" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\3F852E12.exe infected by "Trojan-Dropper.Win32.Small.qn" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\3FEB2419.exe tagged as not-a-virus:AdWare.Pacer.j. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\40EA5565.exe infected by "Trojan-Downloader.Win32.Qoologic.n" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\41E9723F.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4BE1561F.exe infected by "Trojan-Downloader.Win32.QDown.z" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\52151703.exe infected by "Trojan-Downloader.Win32.VB.kq" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\521840FF.exe infected by "Trojan-Downloader.Win32.VB.kq" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\521840FF.htm infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\524C60C5.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\524F0AC2.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\525334BE.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\52565EBB.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\525908B7.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.b. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\526630A9.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\526A5AA5.exe infected by "Trojan-Dropper.Win32.Agent.pb" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\526D04A2.exe infected by "Trojan-Dropper.Win32.Agent.pb" Virus. Action Taken: File Deleted.
File C:\Program Files\NTraces of "Parite.b" found and cleaned !!!
  • 0

#100
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Hi Michelle!

Here is the log:

File C:\WINNT\zwbepvp.exe tagged as not-a-virus:AdWare.BetterInternet.s. No Action Taken.
File C:\WINNT\system32\cdoxcnm.exe infected by "Trojan-Downloader.Win32.Qoologic.ac" Virus. Action Taken: File Deleted.
File C:\WINNT\system32\jeoqw.dll tagged as not-a-virus:AdWare.Adstart.c. No Action Taken.
File C:\WINNT\system32\jeoqwd.exe tagged as not-a-virus:AdWare.Adstart.i. No Action Taken.
File C:\WINNT\system32\lqgeb.dll.tcf tagged as not-a-virus:AdWare.Adstart.c. No Action Taken.
File C:\WINNT\system32\lqgebd.exe tagged as not-a-virus:AdWare.Adstart.i. No Action Taken.
File C:\WINNT\system32\ntsys.exe tagged as not-a-virus:Server-FTP.Win32.Serv-U.3016. No Action Taken.
File C:\WINNT\system32\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.
File C:\WINNT\system32\ringr.zip infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\026558F2.dll tagged as not-a-virus:AdWare.CASClient.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\026802EF.exe infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\027200E4.dll infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\02752AE0.exe infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\027C7ED9.exe tagged as not-a-virus:AdWare.SafeSurfing.o. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\027F28D6.dll tagged as not-a-virus:AdWare.Look2Me.ag. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\027F28D6.exe infected by "Trojan-Downloader.NSIS.Agent.i" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\028252D2.exe infected by "Trojan.Win32.Pakes" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\02857CCE.dat infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\028926CB.dll infected by "Trojan-Downloader.Win32.Qoologic.aa" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\028926CB.exe tagged as not-a-virus:AdWare.BetterInternet. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\028C50C7.dll tagged as not-a-virus:AdWare.SafeSurfing.q . No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\04E7160A.exe tagged as not-a-virus:AdWare.BookedSpace.e. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\06197820.exe infected by "Trojan-Downloader.Win32.Qoologic.n" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\13420C3D.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1C6D040E.exe tagged as not-a-virus:AdWare.BetterInternet. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1D3A701D.dll tagged as not-a-virus:AdWare.Look2Me.ag. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\28CA2C1C.exe tagged as not-a-virus:AdWare.WinAD.aw. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\346772D9.dll tagged as not-a-virus:AdWare.ToolBar.ImiBar.g. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\350129A8.exe infected by "Trojan-Downloader.Win32.VB.kq" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\3F852E12.exe infected by "Trojan-Dropper.Win32.Small.qn" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\3FEB2419.exe tagged as not-a-virus:AdWare.Pacer.j. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\40EA5565.exe infected by "Trojan-Downloader.Win32.Qoologic.n" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\41E9723F.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4BE1561F.exe infected by "Trojan-Downloader.Win32.QDown.z" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\52151703.exe infected by "Trojan-Downloader.Win32.VB.kq" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\521840FF.exe infected by "Trojan-Downloader.Win32.VB.kq" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\521840FF.htm infected by "Trojan-Downloader.JS.IstBar.j" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\524C60C5.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\524F0AC2.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\525334BE.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\52565EBB.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\525908B7.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.b. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\526630A9.dll tagged as not-a-virus:AdWare.ToolBar.AlexaBar.a. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\526A5AA5.exe infected by "Trojan-Dropper.Win32.Agent.pb" Virus. Action Taken: File Deleted.
File C:\Program Files\Norton AntiVirus\Quarantine\526D04A2.exe infected by "Trojan-Dropper.Win32.Agent.pb" Virus. Action Taken: File Deleted.
File C:\Program Files\NTraces of "Parite.b" found and cleaned !!!
  • 0

Advertisements


#101
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Unfortunately, we've still got more work to do because MWav did not find the files we needed it to find :tazz:

Open Norton, click View Reports, there should be a quarantine button in there somewhere. Delete everything it has quarantined. :)

* Run Killbox.exe.

* Select "Delete on Reboot".

* Copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C

C:\WINNT\zwbepvp.exe
C:\WINNT\system32\jeoqw.dll
C:\WINNT\system32\jeoqwd.exe
C:\WINNT\system32\lqgeb.dll.tcf
C:\WINNT\system32\lqgebd.exe


* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. If your computer does not restart automatically, please restart it manually.

After your computer reboots, post a new HiJackThis log.
  • 0

#102
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Here is the new HiJack This log Michelle! :tazz:
Logfile of HijackThis v1.99.1
Scan saved at 6:56:21 PM, on 8/30/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cqginsts.exe
C:\WINNT\System32\svchost.exe
c:\jetsuite\jsdaemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\jetsuite\DLLCMD32.EXE
C:\jetsuite\JETSTAT.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\VSTASCAN\vsaccess.exe
c:\jetsuite\JSFMAN.EXE
C:\Documents and Settings\Nancy\Desktop\HijackThis-2.exe
C:\WINNT\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.msn.com/
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Compaq VistaAccess.lnk = C:\VSTASCAN\vsaccess.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124308158750
O16 - DPF: {776706AE-CACA-4EA3-93DF-BB83D9259DA9} (MailConfigure Class) - http://supportservic...ool/MailCfg.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.c...ers/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://active.macro...abs/swflash.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.micro...rchsettings.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CQG Installation Service (CQGInstS) - CQG, Inc. - C:\WINNT\System32\cqginsts.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#103
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Hello Nancy :tazz:

Thank you.

Let's try this one now:

a-squared Free is a trojan removal tool. To be able to use it, you must set up a free a-squared Account, to get access to the update server.
Please setup an a-squared account at the following link:
http://www.emsisoft....oftware/account

Then download a-squared free from this link:

http://www.emsisoft....ftware/download

Install it and update it.

Then boot your computer to safe mode by tapping the F8 key repeatedly on reboot until you get a boot menu. From this boot menu choose safe mode.

Once in safe mode fire up a-squared and let it run. Do not fix anything yet lets just see what it finds. When it is done scanning click the save log as html button.

Reboot to normal windows and upload that html file with your next post. I will go through and analyze the log to tell you if any of the files should not be removed.
  • 0

#104
nancylpina

nancylpina

    Member

  • Topic Starter
  • Member
  • PipPip
  • 55 posts
Good morning Michelle!

I emailed the HTML report to you: here is the report as well:

aČ Homepage
aČ Homepage Trojan
aČ Homepage
aČ Report
Filename Diagnosis
C:\unzipped\nancy\jeoqwd.exe Adware.Adstart.i
C:\unzipped\nancy\lqgebd.exe Adware.Adstart.i
C:\WINNT\Downloaded Program Files\UWFX5LP_0001_0802NetInstaller.exe Riskware.Downloader.Win32.Agent.c
C:\WINNT\system32\ntsys.exe Riskware.Server-FTP.Win32.Serv-U.3016
  • 0

#105
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Hello Nancy :tazz:

Please run asquared again and fix everything it found, then open Ewido, update it, then reboot into Safe Mode and run it, save the log and post it.

Post a new HiJackThis log as well as the log from Ewido please :)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP