Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My HijackThis Log - Malware [CLOSED]


  • This topic is locked This topic is locked

#31
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>AZBGNTQ
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste AZBGNTQ in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\DOCUME~1\MADELI~1\LOCALS~1\Temp\AZBGNTQ.exe


7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

Advertisements


#32
xelaenil

xelaenil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hijack This Log

Logfile of HijackThis v1.99.1
Scan saved at 9:35:03 AM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media

Platform\SV_Httpd.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Borland\Interbase\Bin\IBServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\Textual\anagram\anagram.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyOverride = local.,
N4 - Mozilla: user_pref("browser.startup.homepage",

"http://home.netscape.com/"); (C:\Documents and Settings\Madeline

Then\Application Data\Mozilla\Profiles\default\9nh1owc4.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins

%5CSBWeb_01.src"); (C:\Documents and Settings\Madeline

Then\Application Data\Mozilla\Profiles\default\9nh1owc4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

- C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} -

C:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll
O2 - BHO: RepliGoIEHelperCtl Class -

{91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program

Files\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class -

{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS

Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program

Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program

Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program

Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend

Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px]

C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program

Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program

Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program

Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: anagram.lnk = C:\Program

Files\Textual\anagram\anagram.exe
O8 - Extra context menu item: Transfer by Image Converter 1.5 -

C:\Program Files\Sony\Image Converter 1.5\menu.htm
O10 - Unknown file in Winsock LSP: c:\program

files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control)

- http://housecall60.t...all/xscan60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class)

-

http://update.micros...ls/en/x86/clien

t/muweb_site.cab?1124501540359
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online

Scanner) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. -

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise

Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise

Corporation - C:\Program Files\Borland\Interbase\Bin\IBServer.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) -

Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation -

C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro

Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro

Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc.

- C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: VAIO Media Music Server (Application)

(VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program

Files\Sony\VAIO Media Music Server\SSSvr.exe"

/Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO

Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP)

(VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program

Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe"

/Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony

Corporation\VAIO Media Platform\2.0"

/RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP)

(VAIOMediaPlatform-MusicServer-UPnP) - Unknown owner - C:\Program

Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

(file missing)
O23 - Service: VAIO Media Photo Server (Application)

(VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program

Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP)

(VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program

Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe"

/Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony

Corporation\VAIO Media Platform\2.0"

/RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP)

(VAIOMediaPlatform-PhotoServer-UPnP) - Unknown owner - C:\Program

Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

(file missing)
O23 - Service: VAIO Media Video Server (Application)

(VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program

Files\Sony\giga pocket\GPVSvr.exe"

/Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO

Media Video Server (Application) (file missing)
O23 - Service: VAIO Media Video Server (HTTP)

(VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program

Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe"

/Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony

Corporation\VAIO Media Platform\2.0"

/RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP)

(VAIOMediaPlatform-VideoServer-UPnP) - Unknown owner - C:\Program

Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe

(file missing)
  • 0

#33
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please repost your log in sngle space format. As it is, it is too difficult to analyze.

To remove the double spacing in your log, please do the following:
  • Please go to Start >> Run... and type notepad.exe
  • Hit OK.
  • Now go to Format and uncheck WordWrap.
  • Close Notepad.


Thanks,


Trevuren

  • 0

#34
xelaenil

xelaenil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I am so sorry, I was being lazy and decided to copy and paste directly from HJT. I did not even notice. Here it goes the right way. My apologies:

Logfile of HijackThis v1.99.1
Scan saved at 9:35:03 AM, on 9/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\Borland\Interbase\Bin\IBServer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\Textual\anagram\anagram.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
N4 - Mozilla: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Madeline Then\Application Data\Mozilla\Profiles\default\9nh1owc4.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Madeline Then\Application Data\Mozilla\Profiles\default\9nh1owc4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - C:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: anagram.lnk = C:\Program Files\Textual\anagram\anagram.exe
O8 - Extra context menu item: Transfer by Image Converter 1.5 - C:\Program Files\Sony\Image Converter 1.5\menu.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124501540359
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBServer.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe (file missing)
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe (file missing)
O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\giga pocket\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (Application) (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe (file missing)
  • 0

#35
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Forget it. Been there_Done that myself.

Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Just to be sure, Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information into your next post.
Regards

Trevuren

  • 0

#36
xelaenil

xelaenil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
This is like the never ending story... TrendMicro detected the following...

Infected file: C:\Program Files\Common Files\services.exe
Virus name: ADW_SHORTY.A

Infected file: C:\Program Files\DNS\cwebpage.dll
Virus name: ADW_SHORTY.A

Kapersky On-line Log...

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, September 21, 2005 10:18:31
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 21/09/2005
Kaspersky Anti-Virus database records: 141327
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 119067
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 6795 sec

Infected Object Name - Virus Name
C:\!Submit\conres.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\!Submit\datadx.dll Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\!Submit\lanbruns.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.i
C:\!Submit\lanbruns.exe Infected: Trojan-Downloader.NSIS.Agent.i

Scan process completed.
  • 0

#37
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
  • Please download ewido security suite it is a trial version of the program.
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed do the following:
    • REBOOT into Safe Mode
    • Run EWIDO
    • Click on scanner
    • Click on Start Scan
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files, click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
Regards,

Trevuren

  • 0

#38
xelaenil

xelaenil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Two funny things happening. Trend Micro, does not update anymore I get a bad internet connection (=1).

Netscape closes by itself when I try to run it.

I also get the art.arwola pop up window on firefox, not too often, just one window, but still....

My bluetooth connection is always unplugged (it is really pluged). I will re-install the software once we are all cleaned. That might help that, just to let you know.. in case it doesn't work properly later.

Thanks

ewido report

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:29:40 PM, 9/21/2005
+ Report-Checksum: 8EE04F83

+ Scan result:

HKLM\SOFTWARE\Clickspring -> Spyware.PurityScan : Cleaned with backup
C:\!Submit\datadx.dll -> TrojanDownloader.Qoologic.ad : Cleaned with backup
C:\!Submit\hbjpyd.exe -> Spyware.Adstart : Cleaned with backup
C:\!Submit\hxddid.exe -> Spyware.Adstart : Cleaned with backup
C:\!Submit\qiqkzd.exe -> Spyware.Adstart : Cleaned with backup
C:\!Submit\services32.exe -> Spyware.Maxifiles : Cleaned with backup
C:\!Submit\wirelanb.dll -> Spyware.SafeSurfing : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Madeline Then\Application Data\Netscape\NSB\Profiles\ha3a1jgg.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Madeline Then\Application Data\Netscape\NSB\Profiles\ha3a1jgg.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Madeline Then\Application Data\Netscape\NSB\Profiles\ha3a1jgg.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Madeline Then\Application Data\Netscape\NSB\Profiles\ha3a1jgg.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Madeline Then\Application Data\Netscape\NSB\Profiles\ha3a1jgg.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Madeline Then\Application Data\Netscape\NSB\Profiles\ha3a1jgg.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Madeline Then\Application Data\Netscape\NSB\Profiles\ha3a1jgg.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Madeline Then\Application Data\Netscape\NSB\Profiles\ha3a1jgg.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Madeline Then\Application Data\Netscape\NSB\Profiles\ha3a1jgg.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Madeline Then\Cookies\madeline then@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Madeline Then\Cookies\madeline then@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Madeline Then\Cookies\madeline then@com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Madeline Then\Cookies\madeline then@e-2dj6wjk4epcpwhp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Madeline Then\Cookies\madeline then@e-2dj6wjlikmczckq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Madeline Then\Cookies\madeline then@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Madeline Then\Cookies\madeline then@phg.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Madeline Then\Cookies\madeline then@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Program Files\Common Files\services.exe -> Spyware.Maxifiles : Cleaned with backup
C:\WINDOWS\system32\WіnSxS\dvdplay.exe -> Spyware.PurityScan : Cleaned with backup


::Report End

HJT Report

Logfile of HijackThis v1.99.1
Scan saved at 4:25:01 AM, on 9/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Cerience\RepliGo\RepliGoMon.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\Textual\anagram\anagram.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
C:\Program Files\Sony\giga pocket\GPVSvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Borland\Interbase\Bin\IBServer.exe
C:\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,
N4 - Mozilla: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Madeline Then\Application Data\Mozilla\Profiles\default\9nh1owc4.slt\prefs.js)
N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Madeline Then\Application Data\Mozilla\Profiles\default\9nh1owc4.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WCNetMon Class - {3BE313C3-DAD6-4da6-801D-75860118A0B5} - C:\Program Files\blcorp\WCCSC\WCPStop\wcpstop.dll
O2 - BHO: RepliGoIEHelperCtl Class - {91DE4477-9CDC-4806-9BCB-28A963988E94} - C:\Program Files\Cerience\RepliGo\RepliGoIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RepliGo Assistant] "C:\Program Files\Cerience\RepliGo\RepliGoMon.exe"
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: anagram.lnk = C:\Program Files\Textual\anagram\anagram.exe
O8 - Extra context menu item: Transfer by Image Converter 1.5 - C:\Program Files\Sony\Image Converter 1.5\menu.htm
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124501540359
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBServer.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Unknown owner - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe" /Service=VAIOMediaPlatform-MusicServer-AppServer /DisplayName="VAIO Media Music Server (Application) (file missing)
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe" /Service=VAIOMediaPlatform-MusicServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="Applications\MusicServer\HTTP (file missing)
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe (file missing)
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-PhotoServer-HTTP /RegRoot="Software\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\PhotoServer\HTTP (file missing)
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe (file missing)
O23 - Service: VAIO Media Video Server (Application) (VAIOMediaPlatform-VideoServer-AppServer) - Unknown owner - C:\Program Files\Sony\giga pocket\GPVSvr.exe" /Service=VAIOMediaPlatform-VideoServer-AppServer /DisplayName="VAIO Media Video Server (Application) (file missing)
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe" /Service=VAIOMediaPlatform-VideoServer-HTTP /RegRoot="SOFTWARE\Sony Corporation\VAIO Media Platform\2.0" /RegExt="\Applications\VideoServer\HTTP (file missing)
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Unknown owner - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe (file missing)

Edited by xelaenil, 22 September 2005 - 02:52 AM.

  • 0

#39
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Your log is still OK.

1. Delete the folder C:\!Submit and all its content.

2. You may have to reinstall both the AV and Netscape once clean.

3. With the folder deleted, please run Kaspersky online once more and post the results.

Please try and do this today as I will be away from the forums for about 5 days.

Regards,

Trevuren

  • 0

#40
xelaenil

xelaenil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Tried to do this as fast as I could but it took a long time. Sorry, if you cannot see it tonight, then I will wait, Thanks and enjoy...

Trend micro is still reporting this....

Infected file: C:\Program Files\DNS\cwebpage.dll
Virus name: ADW_SHORTY.A


Kaspersky Scan log...

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, September 22, 2005 21:37:03
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 23/09/2005
Kaspersky Anti-Virus database records: 141634
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 119342
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 6675 sec

Infected Object Name - Virus Name
C:\RECYCLER\S-1-5-21-48506347-2704639424-2437969446-1004\Dc88\conres.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\RECYCLER\S-1-5-21-48506347-2704639424-2437969446-1004\Dc88\lanbruns.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.i
C:\RECYCLER\S-1-5-21-48506347-2704639424-2437969446-1004\Dc88\lanbruns.exe Infected: Trojan-Downloader.NSIS.Agent.i

Scan process completed.
  • 0

Advertisements


#41
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Download the Killbox.
  • Unzip it to the desktop
  • Double-click Killbox.exe to run it.
  • Select "Delete on Reboot".
  • Place the following line (complete path) in C:\Program Files\DNS\cwebpage.dll in the "Full Path of File to Delete" box in Killbox:
  • Put a mark next to "Delete on Reboot"
  • Click the red-and-white "Delete File" button. Click "Yes" at theDelete on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually

2. Copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f



Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin


3. Run your AV again and please post result

Regards,

Trevuren

  • 0

#42
xelaenil

xelaenil

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
When running killbox for the following process

C:\Program Files\DNS\cwebpage.dll

I get the following message

PendingFileRemane Operation Registry data has been removed by external process

then it does not continue.... :tazz:

Edited by xelaenil, 22 September 2005 - 08:10 PM.

  • 0

#43
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Try the following:

1. Totally disconnect from the internet (unplug)

2. Reboot into safe Mode

3. Run Killbox as per previous instructions and/or

4. Try deleting file while in safe mode.


Trevuren
  • 0

#44
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP