Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

PS Guard attack [RESOLVED]


  • This topic is locked This topic is locked

#1
brainstorm201

brainstorm201

    New Member

  • Member
  • Pip
  • 2 posts
:tazz:
Oh wise one's of the mountain. PS Guard has found another victim. I followed a removal process from another site but still have some issues. After the reboot, I now am looking at a black screen with no icons or taskbars. I am doing everything "back-door style" through the task manager right now. I prefer to do things the normal way. Can you folks help? Here is my Hijack This Log. Thank you for all your help in this matter.

Logfile of HijackThis v1.99.1
Scan saved at 2:32:42 AM, on 8/22/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\Softimage\XSI_3.5\Application\bin\ray3xsi3_5server.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Norton Speed Disk\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Documents and Settings\Brian Hall\My Documents\Unzip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ttlc.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.ttlc.net"); (C:\Program Files\Netscape\Users\brianthunderhall\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\RecordNow MAX Platinum\StorageGuard\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Nwepsj] C:\Program Files\Aiaum\Ozkirr.exe
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [3smQ35T] ifmnsi64.exe
O4 - HKCU\..\Run: [IB54RRf4e] iersfr.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: RaptisoftGameLoader - http://miniclip.com/...tgameloader.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfiel...criptX/smsx.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://ww1.reciperew...ciperewards.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newa...formerSetup.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Ray3xsi3_5 Server (Ray3xsi3_5Server) - Unknown owner - C:\Softimage\XSI_3.5\Application\bin\ray3xsi3_5server.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton Speed Disk\nopdb.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH & Co. KG - C:\WINNT\system32\spm\spmd.exe
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Nwepsj] C:\Program Files\Aiaum\Ozkirr.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [3smQ35T] ifmnsi64.exe
O4 - HKCU\..\Run: [IB54RRf4e] iersfr.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://ww1.reciperew...ciperewards.cab
O16 - DPF: {D9EA64B2-B966-E177-332C-78B69886526D} - http://download.newa...formerSetup.cab


Uninstall Media Access and AutoUpdate via the Add/Remove panel if listed.

Delete these files if found:

C:\Program Files\Media Access\
C:\Program Files\Aiaum\
C:\Program Files\AutoUpdate\
ifmnsi64.exe
iersfr.exe


Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Then post the Panda log here along with the logs for HijackThis, smitfiles.txt and Ewido.
  • 0

#3
brainstorm201

brainstorm201

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
:tazz:
Thank you greyknight17,
I have regained control of my computer. And they say there are no more heroes in the world. Here are the logs you requested. Once again thank you for your service. You saved me Gigs upon Gigs of lost data.


Incident Status Location

Adware:adware/apropos No disinfected C:\PROGRAM FILES\Aprps
Adware:adware/wintools No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian Hall\.jpi_cache\jar\1.0\loaderadv410.jar-1458056b-25d5e2c5.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Brian Hall\.jpi_cache\jar\1.0\loaderadv410.jar-1458056b-25d5e2c5.zip[Dummy.class]
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\pstub0\proxystub.dll

Logfile of HijackThis v1.99.1
Scan saved at 9:27:01 AM, on 8/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\Softimage\XSI_3.5\Application\bin\ray3xsi3_5server.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\essspk.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe
C:\Program Files\Iomega\Tools\IMGICON.EXE
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\Brian Hall\My Documents\Unzip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://www.ttlc.net"); (C:\Program Files\Netscape\Users\brianthunderhall\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\RecordNow MAX Platinum\StorageGuard\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Iomega Backup Scheduler.lnk = C:\Program Files\Iomega\Iomega Backup\dtiom98.exe
O4 - Global Startup: Iomega Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.EXE
O4 - Global Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Global Startup: IomegaWare.lnk = C:\Program Files\Iomega\Iomegaware\COMMANDER.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: QuikSync.lnk = C:\Program Files\Iomega\QuikSync\QUIKSYNC.EXE
O16 - DPF: RaptisoftGameLoader - http://miniclip.com/...tgameloader.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Advanced) - http://www.stonyfiel...criptX/smsx.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai....23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Ray3xsi3_5 Server (Ray3xsi3_5Server) - Unknown owner - C:\Softimage\XSI_3.5\Application\bin\ray3xsi3_5server.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton Speed Disk\nopdb.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH & Co. KG - C:\WINNT\system32\spm\spmd.exe
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINNT\System32\ZipToA.exe



smitRem log file
version 2.3

by noahdfear

The current date is: Wed 08/24/2005
The current time is: 20:44:32.62

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :)


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

ole32vbs.exe
msole32.exe
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:07:48 AM, 8/25/2005
+ Report-Checksum: BF1A85D3

+ Scan result:

:mozilla.11:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Brian Hall\Application Data\Mozilla\Profiles\BrianThunderHall\en9p9jh1.slt\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\NPROTECT\01047775.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047776.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\01047781.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047782.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047783.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047784.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047788.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047789.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047790.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047791.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047793.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047794.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047795.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047796.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047801.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047802.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047803.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047804.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01047809.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\01047810.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\01047811.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\01052224.DLL -> Trojan.Small.ev : Cleaned with backup
C:\RECYCLER\NPROTECT\01052292.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052296.TXT -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\01052356.TXT -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\RECYCLER\NPROTECT\01052363.TXT -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\RECYCLER\NPROTECT\01052368.TXT -> Spyware.Cookie.Revenue : Cleaned with backup
C:\RECYCLER\NPROTECT\01052369.TXT -> Spyware.Cookie.Counted : Cleaned with backup
C:\RECYCLER\NPROTECT\01052374.TXT -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\NPROTECT\01052380.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052384.TXT -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\NPROTECT\01052393.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052396.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052398.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052407.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052426.TXT -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\NPROTECT\01052430.TXT -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\RECYCLER\NPROTECT\01052441.TXT -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\RECYCLER\NPROTECT\01052449.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052452.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052464.TXT -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\RECYCLER\NPROTECT\01052468.TXT -> Spyware.Cookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052487.TXT -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\RECYCLER\NPROTECT\01052508.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052517.TXT -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\RECYCLER\NPROTECT\01052536.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052537.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052558.TXT -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\RECYCLER\NPROTECT\01052561.TXT -> Spyware.Cookie.Adserver : Cleaned with backup
C:\RECYCLER\NPROTECT\01052564.TXT -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\RECYCLER\NPROTECT\01052565.TXT -> Spyware.Cookie.Overture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052585.TXT -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\RECYCLER\NPROTECT\01052591.TXT -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\RECYCLER\NPROTECT\01052597.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\01052598.TXT -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\RECYCLER\NPROTECT\01052604.TXT -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\RECYCLER\NPROTECT\01052615.TXT -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\RECYCLER\NPROTECT\01052625.TXT -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\RECYCLER\NPROTECT\01052638.TXT -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\RECYCLER\NPROTECT\01052646.TXT -> Spyware.Cookie.Centrport : Cleaned with backup
C:\RECYCLER\NPROTECT\01052647.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\01052696.TXT -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\RECYCLER\NPROTECT\01053713.exe -> Trojan.Small.cy : Cleaned with backup
C:\RECYCLER\NPROTECT\01053714.EXE -> Spyware.MediaPass : Cleaned with backup
C:\RECYCLER\NPROTECT\01053715.EXE -> Spyware.WinAD : Cleaned with backup
C:\RECYCLER\NPROTECT\01053716.exe -> TrojanDownloader.Agent.ro : Cleaned with backup
C:\RECYCLER\NPROTECT\01053717.exe -> Spyware.Apropos : Cleaned with backup
C:\RECYCLER\NPROTECT\01053718.EXE -> Trojan.Puper.ai : Cleaned with backup


::Report End

Let me know if you find anything wrong.
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem :tazz:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Spyware Cleaner

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O23 - Service: SpywareCleanerService - Secure Computer, LLC - C:\Program Files\Spyware Cleaner\SCService.exe


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Spyware Cleaner\
C:\Program Files\Aprps\


No need for a new log.

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP