Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

w32.desktophijack - Can't Remove [RESOLVED]


  • This topic is locked This topic is locked

#16
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We're almost there. :tazz:


Use Killbox to delete this file on reboot.

C:\WINDOWS\System32\nfsiod.exe


=========


Flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.


==========


Please run at least two of these online scans.
Make sure they are set to clean automatically

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There will be files that these scans will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log and the info from your virus scans.
  • 0

Advertisements


#17
busymom36

busymom36

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sorry I didn't get this done last night - didn't realize the trendmico scan would take so long....

Here are the logs (did all three online scans and hijackthis):

thx!

j.

BitDefender Online Scanner



Scan report generated at: Mon, Aug 29, 2005 - 22:05:37





Scan path: A:\;C:\;D:\;E:\;







Statistics

Time
00:41:48

Files
135353

Folders
5542

Boot Sectors
3

Archives
1056

Packed Files
17139




Results

Identified Viruses
7

Infected Files
12

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
20




Engines Info

Virus Definitions
202944

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\42DA3E83.htm=>(Quarantine-2)
Infected with: Exploit.HTML.MHT

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\42DA3E83.htm=>(Quarantine-2)
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\458756B6.exe=>(Quarantine-2)
Infected with: Trojan.Clicker.Aura.A

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\458756B6.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\458756B6.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\458A00B3.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Apropo.G

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\458A00B3.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\458A00B3.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\54A5479B.htm=>(Quarantine-2)
Infected with: Trojan.Exploit.Html.MHT

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\54A5479B.htm=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\54A5479B.htm=>(Quarantine-2)
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6F2D52E1.exe
Infected with: Win32.Sober.O@mm

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6F2D52E1.exe
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6F414ECC.exe=>(Quarantine-2)
Infected with: Win32.Sober.Q@mm

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6F414ECC.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\717C58E7.exe=>(Quarantine-2)
Infected with: Win32.Sober.Q@mm

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\717C58E7.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\73D859BE.exe
Infected with: Win32.Sober.O@mm

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\73D859BE.exe
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\748F08F5.exe
Infected with: Win32.Sober.O@mm

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\748F08F5.exe
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\749906EA.exe=>(Quarantine-2)
Infected with: Win32.Sober.Q@mm

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\749906EA.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\786A0224.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Adload.A

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\786A0224.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\786A0224.exe=>(Quarantine-2)
Deleted

C:\WINDOWS\uctfkeu.exe
Infected with: Trojan.Clicker.Aura.A

C:\WINDOWS\uctfkeu.exe
Disinfection failed

C:\WINDOWS\uctfkeu.exe
Deleted


Trend Micro Housecall Virus Scan0 virus cleaned, 2 viruses deleted


Results:
We have detected 2 infected file(s) with 2 virus(es) on your
computer. Only 0 out of 0 infected files are displayed:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 2 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken
C:\Program Files\Common
Files\InetGet\mc-110-12-0000079.exeTROJ_DLOADER.ZTDeletion
successful
C:\Program Files\Common
Files\Windows\mc-110-12-0000079.exeTROJ_DLOADER.ZTDeletion
successful




Trojan/Worm Check1 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 1 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed: - 0 worm(s)/Trojan(s) passed, 0
worm(s)/Trojan(s) no action available
- 1 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s)
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken
WORM_SOBER.UWormDeletion successful




Spyware Check7 spyware programs removed

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 7 spyware(s) on your computer. Only 0 out of
0 spywares are displayed: - 0 spyware(s) passed, 0
spyware(s) no action available
- 7 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
COOKIE_45CookieRemoval successful
COOKIE_281CookieRemoval successful
COOKIE_442CookieRemoval successful
COOKIE_722CookieRemoval successful
COOKIE_1020CookieRemoval successful
COOKIE_1802CookieRemoval successful
COOKIE_2136CookieRemoval successful




Microsoft Vulnerability Check47 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 47 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
CriticalThis vulnerability could allow an attacker
to access information from other Web sites, access
files on a user's system, and run arbitrary code
on a user's system, wherein this is executed under
the security context of the currently logged on
user.;This vulnerability could allow an attacker
to save a file on the users system. This is due to
dynamic HTML events related to the drag-and-drop
of Internet Explorer.;This vulnerability, which is
due to the incorrect parsing of URLs which contain
special characters, could allow an attacker to
trick a user by presenting one URL in the address
bar, wherein it actually contains the content of
another web site of the attackers choice.
MS04-004
Highly CriticalThe LSASS vulnerability is a buffer
overrun vulnerability allows remote code
execution.;The LDAP vulnerability is a denial of
service (DoS) vulnerability that causes the
service in a Windows 2000 domain controller
responsible for authenticating users in an Active
Directory domain to stop responding.;The PCT
vulnerability is a buffer overrun vulnerability in
the Private Communications Transport (PCT)
protocol, a part of the SSL library, that allows
remote code execution.;The Winlogon vulnerability
is a buffer overrun vulnerability in the Windows
logon process (winlogon) that allows remote code
execution.;The Metafile vulnerability is a buffer
overrun vulnerability that exists in the rendering
of Windows Metafile (WMF) and Enhanced Metafile
(EMF) image formats.;The Help and Support Center
vulnerability allows remote code execution and is
due to the way Help and Support Center handles HCP
URL validation.;The Utility Manager vulnerability
is a privilege elevation vulnerability that exists
due to the way that Utility Manager launches
applications.;The Windows Management vulnerability
is a privilege elevation vulnerability that when
successfully exploited allows a local attacker to
take complete control of a system by executing
commands at the system privilege level.;The Local
Descriptor Table vulnerability is a privilege
elevation vulnerability that when successfully
exploited allows a local attacker to take complete
control of a system by executing commands at with
system privileges.;The H.323 vulnerability is a
buffer overrun vulnerability that when
successfully exploited can allows attackers to
gain full control of a system by arbitrarily
executing commands with system privileges.;Virtual
DOS Machine vulnerability is a privilege elevation
vulnerability that when successfully exploited
allows a local attacker to gain full control of a
system by executing commands with system
privileges.;The Negotiate SSP vulnerability is a
buffer overrun vulnerability that exists in
Microsoft's Negotiate Security Service Provider
(SSP) interface and allows remote code
execution.;The SSL vulnerability exists due to the
way SSL packets are handled and can causes the
affected systems to stop responding to SSL
connection requests.;The ASN.1 'Double-Free'
vulnerability exists in Microsoft's Abstract
Syntax Notation One (ASN.1) Library and allows
remote code execution at the system privilege
level. MS04-011
CriticalThe RPC Runtime Library vulnerability is a
remote code execution vulnerability that results
from a race condition when the RPC Runtime Library
processes specially crafted messages. An attacker
who successfully exploits this vulnerability could
take complete control of an affected system.;The
RPCSS Service denial of service (DoS)
vulnerability allows a malicious user or malware
to send specially-crafted messages to a vulnerable
system, which causes the RPCSS Service to stop
responding.;The RPC Over HTTP vulnerability may be
used to launch a denial of service (DoS) attack
against a system with CIS or RPC over HTTP Proxy
enabled.;When successfully exploited, the Object
Identity vulnerability allows an attacker to force
currently running applications to open network
communication ports, thereby opening a system to
remote attacks. MS04-012
CriticalThe MHTML URL Processing Vulnerability
allows remote attackers to bypass domain
restrictions and execute arbitrary code via script
in a compiled help (CHM) file that references the
InfoTech Storage (ITS) protocol handlers.This
could allow an attacker to take complete control
of an affected system. MS04-013
CriticalThis vulnerability exists in the Help and
Support Center (HCP) and is due to the way it
handles HCP URL validation. This vulnerability
could allow an attacker to remotely execute
arbitrary code with Local System privileges.
MS04-015
ModerateA denial of service (DoS) vulnerability
exists in Outlook Express that could cause the
said program to fail. The malformed email should
be removed before restarting Outlook Express in
order to regain its normal operation. MS04-018
CriticalThis vulnerability lies in an unchecked
buffer within the Task Scheduler component. When
exploited, it allows the attacker to execute
arbitrary code on the affected machine with the
same privileges as the currently logged on user.
MS04-022
CriticalAn attacker who successfully exploits this
vulnerability could gain the same privileges as
that of the currently logged on user. If the user
is logged in with administrative privileges, the
attacker could take complete control of the
system. User accounts with fewer privileges are at
less risk than users with administrative
privileges. MS04-023
CriticalThe Navigation Method Cross-Domain
Vulnerability is a remote execution vulnerability
that exists in Internet Explorer because of the
way that it handles navigation methods. An
attacker could exploit this vulnerability by
constructing a malicious Web page that could
potentially allow remote code execution if a user
visits a malicious Web site.;The Malformed BMP
File Buffer Overrun Vulnerability exists in the
processing of BMP image file formats that could
allow remote code execution on an affected
system.;The Malformed GIF File Double Free
Vulnerability is a buffer overrun vulnerability
that exists in the processing of GIF image file
formats that could allow remote code execution on
an affected system. MS04-025
CriticalThis vulnerability lies in the way the
affected components process JPEG image files. An
unchecked buffer within this process is the cause
of the vulnerability.;This remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. The malicious user
or malware can execute arbitrary code on the
system giving them the ability to install or run
programs and view or edit data with full
privileges. Thus, this vulnerability can
conceivably be used by a malware for replication
purposes. MS04-028
ImportantAn unchecked buffer exists in the NetDDE
services that could allow remote code execution.
An attacker who is able to successfully exploit
this vulnerability is capable of gaining complete
control over an affected system. However, the
NetDDe services are not automatically executed,
and so would then have to be manually started for
an attacker to exploit this vulnerability. This
vulnerability also allows attackers to perform a
local elevation of privilege, or a remote denial
of service (DoS) attack. MS04-031
CriticalThis cumulative release from Microsoft
covers four newly discovered vulnerabilities:
Windows Management Vulnerability, Virtual DOS
Machine Vulnerability, Graphics Rendering Engine
Vulnerability, and Windows Kernel Vulnerability.
MS04-032
CriticalThis is another privately reported
vulnerability about Windows Compressed Folders.
There is vulnerability on the way that Windows
processes Compressed (Zipped) Folders that could
lead to remote code execution. Windows can not
properly handle the extraction of the ZIP folder
with a very long file name. Opening a specially
crafted compressed file, a stack-based overflow
occurs, enabling the remote user to execute
arbitrary code. MS04-034
CriticalThis security bulletin focuses on the
following vulnerabilities: Shell Vulnerability
(CAN-2004-0214), and Program Group Converter
Vulnerability (CAN-2004-0572). Shell vulnerability
exists on the way Windows Shell launches
applications that could enable remote malicious
user or malware to execute arbitrary code.
Windows Shell function does not properly check the
length of the message before copying to the
allocated buffer. Program Group Converter is an
application used to convert Program Manager Group
files that were produced in Windows 3.1, Windows
3.11, Windows for Workgroups 3.1, and Windows for
Workgroups 3.11 so that they can still be used by
later operating systems. The vulnerability lies in
an unchecked buffer within the Group Converter
Utility. MS04-037
CriticalThis is a remote code execution
vulnerability that exists in the Internet
Explorer. It allows remote code execution on an
affected system. An attacker could exploit this
vulnerability by constructing a malicious Web
Page. The said routine could allow remote code
execution if a user visited a malicious Web site.
An attacker who successfully exploited this
vulnerability could take complete control of an
affected system. However, significant user
interaction is required to exploit this
vulnerability. MS04-038
CriticalThis security update addresses and
resolves a vulnerability in Internet Explorer that
could allow remote code execution. A Web page can
be crafted to exploit this vulnerability such that
an arbitrary application can be executed on
visiting systems with the same priviledge as the
currently logged on user. MS04-040
ImportantThis security advisory explains the two
discovered vulnerabilities in Microsoft Word for
Windows 6.0 Converter, which is used by WordPad in
converting Word 6.0 to WordPad file format. Once
exploited, this remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. MS04-041
CriticalA remote code execution vulnerability
exists in HyperTerminal because of a buffer
overrun. If a user is logged on with administrator
privileges, an attacker could exploit the
vulnerability by constructing a malicious
HyperTerminal session file that could potentially
allow remote code execution and then persuade a
user to open this file. This malicious file may
enable the attacker to gain complete control of
the affected system. This vulnerability could also
be exploited through a malicious Telnet URL if
HyperTerminal had been set as the default Telnet
client. MS04-043
ImportantThis security update addresses and
resolves two windows vulnerabilites, both of which
may enable the current user to take control of the
affected system. Both of these vulnerabilites
require that the curernt user be able to log on
locally and execute programs. They cannot be
exploited remotely, or by anonymous users. A
privilege elevation vulnerability exists in the
way that the Windows Kernel launches applications.
This vulnerability could allow the current user to
take complete control of the system. A privilege
elevation vulnerability exists in the way that the
LSASS validates identity tokens. This
vulnerability could allow the current user to take
complete control of the affected system. MS04-044
CriticalThis update resolves a newly-discovered,
publicly reported vulnerability. A vulnerability
exists in the HTML Help ActiveX control in Windows
that could allow information disclosure or remote
code execution on an affected system. MS05-001
CriticalThis update resolves several
newly-discovered, privately reported and public
vulnerabilities. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system,
install programs, view, change, or delete data, or
create new accounts that have full privileges.
MS05-002
ImportantThis update resolves a newly-discovered,
privately reported vulnerability. An attacker who
successfully exploited this vulnerability could
take complete control of an affected system. An
attacker could then install programs, view,
change, or delete data, or create new accounts
with full privileges. While remote code execution
is possible, an attack would most likely result in
a denial of service condition. MS05-003
ImportantThis is an information disclosure
vulnerability. An attacker who successfully
exploits this vulnerability could remotely read
the user names for users who have an open
connection to an available shared resource.
MS05-007
ImportantThis remote code execution vulnerability
exists in the way Windows handles drag-and-drop
events. An attacker could exploit the
vulnerability by constructing a malicious Web page
that could potentially allow an attacker to save a
file on the users system if a user visited a
malicious Web site or viewed a malicious e-mail
message. MS05-008
CriticalThis remote code execution vulnerability
exists in Server Message Block (SMB). It allows an
attacker who successfully exploits this
vulnerability to take complete control of the
affected system. MS05-011
CriticalThis privilege elevation vulnerability
exists in the way that the affected operating
systems and programs access memory when they
process COM structured storage files. This
vulnerability could grant a currently logged-on
user to take complete control of the system.;This
remote code execution vulnerability exists in OLE
because of the way that it handles input
validation. An attacker could exploit the
vulnerability by constructing a malicious document
that could potentially allow remote code
execution. MS05-012
CriticalThis vulnerability exists in the DHTML
Editing Component ActiveX Control. This
vulnerability could allow information disclosure
or remote code execution on an affected system.
MS05-013
CriticalThis update resolves known vulnerabilities
affecting Internet Explorer. An attacker who
successfully exploits these vulnerabilities could
take complete control of an affected system. An
attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. MS05-014
CriticalA remote code execution vulnerability
exists in the Hyperlink Object Library. This
problem exists because of an unchecked buffer
while handling hyperlinks. An attacker could
exploit the vulnerability by constructing a
malicious hyperlink which could potentially lead
to remote code execution if a user clicks a
malicious link within a Web site or e-mail
message. MS05-015
ImportantA remote code execution vulnerability
exists in the Windows Shell because of the way
that it handles application association. If a user
is logged on with administrative privileges, an
attacker who successfully exploited this
vulnerability could take complete control of the
affected system. However, user interaction is
required to exploit this vulnerability. MS05-016
ImportantThis security bulletin resolves
newly-discovered, privately-reported
vulnerabilities affecting Windows. An attacker who
successfully exploited the most severe of these
vulnerabilities could take complete control of an
affected system. An attacker could then install
programs; view, change, or delete data; or create
new accounts with full user rights. MS05-018
CriticalThis security bulletin resolves newly
discovered, privately-reported vulnerabilities
affecting Windows. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system.
An attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. However, an attacker who
successfully exploited the most severe of these
vulnerabilities would most likely cause the
affected system to stop responding. MS05-019
CriticalThis security bulletin resolves three
newly-discovered, privately-reported
vulnerabilities affecting Internet Explorer. If a
user is logged on with administrative user rights,
an attacker who successfully exploited any of
these vulnerabilities could take complete control
of an affected system. An attacker could then
install programs; view, change, or delete data; or
create new accounts with full user rights.
MS05-020
CriticalThis security bulletin resolves the
following vulnerabilities affecting Internet
Explorer.; The PNG Image Rendering Memory
Corruption vulnerability could allow an attacker
to execute arbitrary code on the system because of
a vulnerability in the way Internet Explorer
handles PNG images.; The XML Redirect Information
Disclosure vulnerability could allow an attacker
to read XML data from another Internet Explorer
domain because of a vulnerability in the way
Internet Explorer handles certain requests to
display XML content. MS05-025
CriticalHTML Help is the standard help system for
the Windows platform. Authors can use it to create
online Help files for a software application or
content for a multimedia title or a Web site.
This vulnerability in HTML Help could allow
attackers to execute arbitrary code on the
affected system via a specially crafted Compiled
Windows Help (CHM) file, because it does not
completely validate input data. MS05-026
CriticalA remote code execution vulnerability
exists in the Microsofts implementation of the
Server Message Block (SMB) protocol, which could
allow an attacker to execute arbitrary codes to
take complete control over a target system. This
vulnerability could be exploited over the
Internet. An attacker would have to transmit a
specially crafted SMB packet to a target system to
exploit it. However, failure to successfully
exploit the vulnerability could only lead to a
denial of service. MS05-027
ImportantA vulnerability exists in the way that
Windows processes Web Client requests, which could
allow a remote attacker to execute arbitrary code
and take complete control over the affected
system. MS05-028
ImportantA remote code execution vulnerability
exists in Outlook Express when it is used as a
newsgroup reader. An attacker could exploit this
vulnerability by constructing a malicious
newsgroup server that could that potentially allow
remote code execution if a user queried the server
for news. MS05-030
ModerateThis vulnerability could enable an
attacker to spoof trusted Internet content because
security prompts can be disguised by a Microsoft
Agent character. MS05-032
ModerateThis vulnerability in the Microsoft Telnet
client could allow an attacker to gain sensitive
information about the affected system and read the
session variables of users who have open
connections to a malicious Telnet server.
MS05-033
CriticalThis vulnerability could allow a remote
attacker to execute arbitrary codes on the
affected system via a malicious image file in a
Web site or email message. This vulnerability
exists because of the way Microsoft Color
Management Module handles ICC profile format tag
validation. MS05-036
CriticalA COM object, the JView Profiler
(Javaprxy.dll), contains a remote code execution
vulnerability that could allow an attacker to take
complete control of an affected system by hosting
a malicious Web site. MS05-037
CriticalThis security bulletin resolves the
following vulnerabilities found in Internet
Explorer: (1) JPEG Image Rendering Memory
Corruption vulnerability, which allows remote code
execution when exploited by a remote malicious
user, (2) Web Folder Behaviors Cross-Domain
vulnerability, allows information disclosure or
remote code execution on an affected system, and
(3) COM Object Instantiation Memory Corruption
vulnerability, which exists in the way Internet
Explorer lists the instances of COM Objects that
are not intended to be used in Internet Explorer.
MS05-038
ImportantThis security advisory explains a
vulnerability in the Telephony Application
Programming Interface (TAPI) service that could
allow remote code execution. Attackers who
successfully exploits the said vulnerability can
take complete control of an affected system. They
could then install programs, view, change, or
delete data, and create new accounts with full
user rights. MS05-040
ModerateA remote malicious user can use the
process employed by the Remote Desktop Protocol
(RDP) to validate data to cause a denial of
service (DoS) attack, which stops an affected
machine from responding and causing it to
automatically restart. MS05-041
ModerateThis security bulletin resolves the
following vulnerabilities found in Microsoft
Windows: (1) the Kerberos vulnerability, which is
a denial of service vulnerability that allows an
attacker to send a specially crafted message to a
Windows domain controller, making the service that
is responsible for authenticating users in an
Active Directory domain to stop responding, and
(2)the PKINIT vulnerability, which is an
information disclosure and spoofing vulnerability
that allows an attacker to manipulate certain
information that is sent from a domain controller
and potentially access sensitive client network
communication. MS05-042
CriticalA remote code execution vulnerability in
the Printer Spooler service allows an attacker who
successfully exploits this vulnerability to take
complete control of the affected system. MS05-043



Incident Status Location

Adware:adware/popuper No disinfected C:\DOCUMENTS AND SETTINGS\JULIE\FAVORITES\Buy Viagra Online.url
Adware:adware/cws No disinfected C:\DOCUMENTS AND SETTINGS\JULIE\FAVORITES\Online Poker.url
Adware:adware/topspyware No disinfected C:\PROGRAM FILES\WINDOWS MEDIA PLAYER\wmplayer.exe.tmp
Adware:adware/bookedspace No disinfected C:\WINDOWS\cfgmgr52.ini
Adware:adware program No disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/pacimedia No disinfected C:\DOCUMENTS AND SETTINGS\JULIE\FAVORITES\1111
Adware:adware/delfinmedia No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl
Adware:adware/bigtrafficnet No disinfected Windows Registry
Adware:Adware/Imibar No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2E9545DE-4489-4A7E-9446-89358D\F8CC2E7C-55FB-4252-97EC-E4FDF3
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\614D1BD7-F7BD-493C-9900-FF420F\7A642CF1-896C-41C4-BE32-64666E
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\614D1BD7-F7BD-493C-9900-FF420F\8B031F7A-3F84-47D7-A228-54FC0B
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\614D1BD7-F7BD-493C-9900-FF420F\994F023B-6FF6-463A-9B32-37FF10
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\614D1BD7-F7BD-493C-9900-FF420F\9F22FCE9-002B-4C5D-95AF-0FEB1A
Adware:Adware/Maxifiles No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\68F7217B-3D8B-45F3-AEC1-0C7963\0A1253C0-E107-48CA-8050-091320
Adware:Adware/ConsumerAlertSystemNo disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\8BC75A8C-87EA-4BFD-B3DA-DE8C96\821A2C91-7019-425D-8736-E8B70F
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\947321D1-EC22-4947-9882-94D02A\76534BF3-4663-40F9-94C2-D8319C
Adware:Adware/VirtualBouncer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\947321D1-EC22-4947-9882-94D02A\83748564-6A76-421D-A257-809070
Adware:Adware/AdDestroyer No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\947321D1-EC22-4947-9882-94D02A\AD1F83E2-B738-4741-BD54-61673A
Spyware:Spyware/SafeSurf No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\950EAEB4-FE7D-44FF-B247-F2330C\BD661A30-B4F4-4E6D-8DC3-8B2C45
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
Adware:Adware/Look2Me No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp
Possible Virus. No disinfected C:\Program Files\Zone.Com Deluxe Games\Puzzle Inlay Deluxe\inlaydlx.bin
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Adware:Adware/Alexa No disinfected C:\WINDOWS\SYSTEM32\usbhdctl.exe Logfile of HijackThis v1.99.1
Scan saved at 9:01:19 AM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar5.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar5.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar5.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar5.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar5.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar5.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124669789296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec
  • 0

#18
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Yes, it can take a while if you have a big hard drive. :)

Delete these files that Panda found:

C:\DOCUMENTS AND SETTINGS\JULIE\FAVORITES\Buy Viagra Online.url
C:\DOCUMENTS AND SETTINGS\JULIE\FAVORITES\Online Poker.url
C:\WINDOWS\SYSTEM32\Shex.exe
C:\WINDOWS\SYSTEM32\usbhdctl.exe
C:\WINDOWS\cfgmgr52.ini
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs <-- delete this folder
C:\DOCUMENTS AND SETTINGS\JULIE\FAVORITES\1111 <-- delete this folder
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\vidctrl <-- delete this folder
C:\Program Files\Windows Media Player\wmplayer.exe.tmp




Aside from that, your log looks pretty good. :tazz:

How are things on your end? Any problems?
  • 0

#19
busymom36

busymom36

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi,

Still getting the Norton w32.desktophijack notice, but otherwise everything seems pretty good. Ran a couple of scans - Norton, Microsoft Giant, and Ewido. Microsoft didn't pick up anything, Norton came up with a few cookies and the one virus. The Ewido scan is attached as is another hijackthis log.

This virus is a little bugger, huh! It's a shame the people who dream up these things couldn't put their brains to better use - like creating alternative fuel sources!

Don't know what I would've done without you - probably thrown my computer out the window!

thx,

j.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:19:13 PM, 8/30/2005
+ Report-Checksum: 6C86219D

+ Scan result:

C:\WINDOWS\SYSTEM32\actsetup.exe -> Backdoor.Lamebot.v : Cleaned with backup
C:\WINDOWS\SYSTEM32\gdb32.exe -> Backdoor.Lamebot.v : Cleaned with backup
C:\Documents and Settings\JULIE\Cookies\julie@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\JULIE\Cookies\julie@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\JULIE\Cookies\julie@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\JULIE\Cookies\julie@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\JULIE\Cookies\julie@cnn.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\JULIE\Cookies\julie@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup


::Report EndLogfile of HijackThis v1.99.1
Scan saved at 6:32:55 PM, on 8/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar5.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar5.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar5.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar5.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar5.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar5.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124669789296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#20
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I have a feeling I know what Norton is finding. Can you post the log file from your Norton scan or at least post the information from the file that it keeps finding?
  • 0

#21
busymom36

busymom36

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Good morning - here is the info from Norton. It doesn't appear to be running, but when I did the Ewido scan yesterday, it did find the PSguard stuff again and removed it, so I'm not sure what is still floating around. This is the only thing other than cookies that the scans are finding.

thx!

j.

Source: C:\WINDOWS\system32\WININET.dll
Click for more information about this threat : W32.Desktophijack

When W32.Desktophijack is executed, it performs the following actions:


Displays the following message:




Regardless of whether the user chooses YES or NO, it creates the following files:


%Windir%\uninstIU.exe (detected as Trojan.Desktophijack.B)
%System%\oleadm.dll (detected as Trojan.Desktophijack.B)
%System%\wp.bmp

Notes:
%System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows (Windows 95/98/Me/XP) or C:\Winnt (Windows NT/2000).


Copies the file %System%\wininet.dll as %System%\oleadm32.dll and inserts code into %System%\oleadm32.dll.

Note: The code hooks all the calls to the function HttpSendRequest and transfers them to oleadm.dll. oleadm.dll can monitor what pages have been
accessed and send the log to the following web sites:


[http://]ecjnoe3inwe.com/[REMOVED]
[http://]fjrewcer32.com/[REMOVED]
[http://]dkjfwekjnc4.com/[REMOVED]


Adds the values:

"AllowProtectedRenames" = "1"
"PendingFileRenameOperations" = "\??\%System%\oleadm32.dll !\??\%System%\wininet.dll"

to the registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager

so that the original wininet.dll file will be replaced with oleadm32.dll after the compromised computer is restarted.


Adds the value:

"WindowsFZ" = "[PATH TO EXECUTABLE FILE]"

to the registry subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

so that the risk runs every time Windows starts.


Modifies the value:

"Background" = "1 2 172"

in the registry subkey:

HKEY_CURRENT_USER\Control Panel\Colors

to modify the desktop background color.


Adds the values:

"WallpaperStyle" = "0"
"Wallpaper" = "%System%\wp.bmp"

to the registry subkey:

HKEY_CURRENT_USER\Control Panel\Desktop

to modify the desktop wallpaper.


Creates the following registry subkey:

HKEY_CLASSES_ROOT\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3}


Modifies the values:

"NoDispAppearancePage" = "1"
"NoDispBackgroundPage" = "1"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System


Modifies the value:

"NoActiveDesktopChanges" = "1"

in the registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer


Adds following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet update


Changes the desktop wallpaper to an image with one of following texts:


Warning!
Your computer is infected!
Security warning
A fatal error in IE has occured at 0028:C0011E36 in UXD UMM01 *
00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c
* System cannot function in normal mode.
Please check your security settings.
* Scan your PC with any available antivirus / spyware remover program to
fix this problem.


Downloads and installs one of the following files:


[http://]206.161.200.34/[REMOVED]
[http://]download.psguard.com/[REMOVED]
  • 0

#22
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Please download SmitRem.zip
  • Save the file to your desktop.
  • Right click on the file and extract it to it's own folder on the desktop.


Reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.



Once in Safe mode, follow these steps:
  • Open the smitRem folder, then double click the RunThis.bat file to start the tool. [list]
  • Follow the prompts on screen.
  • Wait for the tool to complete and disk cleanup to finish.
  • The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with a new hijackthis log.

  • 0

#23
busymom36

busymom36

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Good morning!

No w32.desktophijack notice this am!!!! Whoopie!!!! Came down to earth when I ran hijack this and found oodles of google domains in the log again. Fixed those and ran a second log. Am assuming they may have popped up prior to running previous steps, and we're all set?

Anyway......you are the best!! I'll be featuring your site in my next email newletter (I own a small mortgage company). As my kids say, "You guys rock!"

Many, many thanks to you personally and to Geeks for creating this site.

j.


smitRem log file
version 2.3

by noahdfear

The current date is: Wed 08/31/2005
The current time is: 19:21:30.14

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :)


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

Online Pharmacy.url


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! :tazz: Starting replacement procedure.


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ dllcache\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll ~~~~


~~~~ KB890923\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll ~~~~


~~~~ KB867282\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll ~~~~


~~~~ KB883939\SP2QFE\wininet.dll not present! ~~~~


~~~~ Looking for C:\WINDOWS\ServicePackFiles\i386\wininet.dll ~~~~


~~~~ C:\WINDOWS\ServicePackFiles\i386\wininet.dll Present! ~~~~


~~~~ Checking C:\WINDOWS\ServicePackFiles\i386\wininet.dll for infection ~~~~


~~~~ ServicePackFiles\i386\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from ServicePackFiles\i386 ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~


First log

Logfile of HijackThis v1.99.1
Scan saved at 8:46:39 AM, on 9/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O1 - Hosts: 69.31.81.22 www.google.ae
O1 - Hosts: 69.31.81.22 www.google.am
O1 - Hosts: 69.31.81.22 www.google.as
O1 - Hosts: 69.31.81.22 www.google.at
O1 - Hosts: 69.31.81.22 www.google.az
O1 - Hosts: 69.31.81.22 www.google.be
O1 - Hosts: 69.31.81.22 www.google.bi
O1 - Hosts: 69.31.81.22 www.google.ca
O1 - Hosts: 69.31.81.22 www.google.cd
O1 - Hosts: 69.31.81.22 www.google.cg
O1 - Hosts: 69.31.81.22 www.google.ch
O1 - Hosts: 69.31.81.22 www.google.ci
O1 - Hosts: 69.31.81.22 www.google.cl
O1 - Hosts: 69.31.81.22 www.google.co.cr
O1 - Hosts: 69.31.81.22 www.google.co.hu
O1 - Hosts: 69.31.81.22 www.google.co.il
O1 - Hosts: 69.31.81.22 www.google.co.in
O1 - Hosts: 69.31.81.22 www.google.co.je
O1 - Hosts: 69.31.81.22 www.google.co.jp
O1 - Hosts: 69.31.81.22 www.google.co.ke
O1 - Hosts: 69.31.81.22 www.google.co.kr
O1 - Hosts: 69.31.81.22 www.google.co.ls
O1 - Hosts: 69.31.81.22 www.google.co.nz
O1 - Hosts: 69.31.81.22 www.google.co.th
O1 - Hosts: 69.31.81.22 www.google.co.ug
O1 - Hosts: 69.31.81.22 www.google.co.uk
O1 - Hosts: 69.31.81.22 www.google.co.ve
O1 - Hosts: 69.31.81.22 www.google.com
O1 - Hosts: 69.31.81.22 www.google.com.ag
O1 - Hosts: 69.31.81.22 www.google.com.ar
O1 - Hosts: 69.31.81.22 www.google.com.au
O1 - Hosts: 69.31.81.22 www.google.com.br
O1 - Hosts: 69.31.81.22 www.google.com.co
O1 - Hosts: 69.31.81.22 www.google.com.cu
O1 - Hosts: 69.31.81.22 www.google.com.do
O1 - Hosts: 69.31.81.22 www.google.com.ec
O1 - Hosts: 69.31.81.22 www.google.com.fj
O1 - Hosts: 69.31.81.22 www.google.com.gi
O1 - Hosts: 69.31.81.22 www.google.com.gr
O1 - Hosts: 69.31.81.22 www.google.com.gt
O1 - Hosts: 69.31.81.22 www.google.com.hk
O1 - Hosts: 69.31.81.22 www.google.com.ly
O1 - Hosts: 69.31.81.22 www.google.com.mt
O1 - Hosts: 69.31.81.22 www.google.com.mx
O1 - Hosts: 69.31.81.22 www.google.com.my
O1 - Hosts: 69.31.81.22 www.google.com.na
O1 - Hosts: 69.31.81.22 www.google.com.nf
O1 - Hosts: 69.31.81.22 www.google.com.ni
O1 - Hosts: 69.31.81.22 www.google.com.np
O1 - Hosts: 69.31.81.22 www.google.com.pa
O1 - Hosts: 69.31.81.22 www.google.com.pe
O1 - Hosts: 69.31.81.22 www.google.com.ph
O1 - Hosts: 69.31.81.22 www.google.com.pk
O1 - Hosts: 69.31.81.22 www.google.com.pr
O1 - Hosts: 69.31.81.22 www.google.com.py
O1 - Hosts: 69.31.81.22 www.google.com.sa
O1 - Hosts: 69.31.81.22 www.google.com.sg
O1 - Hosts: 69.31.81.22 www.google.com.sv
O1 - Hosts: 69.31.81.22 www.google.com.tr
O1 - Hosts: 69.31.81.22 www.google.com.tw
O1 - Hosts: 69.31.81.22 www.google.com.ua
O1 - Hosts: 69.31.81.22 www.google.com.uy
O1 - Hosts: 69.31.81.22 www.google.com.vc
O1 - Hosts: 69.31.81.22 www.google.com.vn
O1 - Hosts: 69.31.81.22 www.google.de
O1 - Hosts: 69.31.81.22 www.google.dj
O1 - Hosts: 69.31.81.22 www.google.dk
O1 - Hosts: 69.31.81.22 www.google.es
O1 - Hosts: 69.31.81.22 www.google.fi
O1 - Hosts: 69.31.81.22 www.google.fm
O1 - Hosts: 69.31.81.22 www.google.fr
O1 - Hosts: 69.31.81.22 www.google.gg
O1 - Hosts: 69.31.81.22 www.google.gl
O1 - Hosts: 69.31.81.22 www.google.gm
O1 - Hosts: 69.31.81.22 www.google.hn
O1 - Hosts: 69.31.81.22 www.google.ie
O1 - Hosts: 69.31.81.22 www.google.it
O1 - Hosts: 69.31.81.22 www.google.kz
O1 - Hosts: 69.31.81.22 www.google.li
O1 - Hosts: 69.31.81.22 www.google.lt
O1 - Hosts: 69.31.81.22 www.google.lu
O1 - Hosts: 69.31.81.22 www.google.lv
O1 - Hosts: 69.31.81.22 www.google.mn
O1 - Hosts: 69.31.81.22 www.google.ms
O1 - Hosts: 69.31.81.22 www.google.mu
O1 - Hosts: 69.31.81.22 www.google.mw
O1 - Hosts: 69.31.81.22 www.google.nl
O1 - Hosts: 69.31.81.22 www.google.no
O1 - Hosts: 69.31.81.22 www.google.off.ai
O1 - Hosts: 69.31.81.22 www.google.pl
O1 - Hosts: 69.31.81.22 www.google.pn
O1 - Hosts: 69.31.81.22 www.google.pt
O1 - Hosts: 69.31.81.22 www.google.ro
O1 - Hosts: 69.31.81.22 www.google.ru
O1 - Hosts: 69.31.81.22 www.google.rw
O1 - Hosts: 69.31.81.22 www.google.se
O1 - Hosts: 69.31.81.22 www.google.sh
O1 - Hosts: 69.31.81.22 www.google.sk
O1 - Hosts: 69.31.81.22 www.google.sm
O1 - Hosts: 69.31.81.22 www.google.td
O1 - Hosts: 69.31.81.22 www.google.tm
O2 - BHO: (no name) - {4FA2B39B-A7DA-983C-68E6-5B095A4118FD} - C:\DOCUME~1\MATT\LOCALS~1\Temp\unoxedmrytg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar5.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar5.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar5.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar5.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar5.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar5.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124669789296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

2nd log:

Logfile of HijackThis v1.99.1
Scan saved at 8:49:16 AM, on 9/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O2 - BHO: (no name) - {4FA2B39B-A7DA-983C-68E6-5B095A4118FD} - C:\DOCUME~1\MATT\LOCALS~1\Temp\unoxedmrytg.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar5.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar5.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar5.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar5.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar5.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar5.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124669789296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#24
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Excellent! :) :tazz:

I'm a little concerned about the hosts file entries showing up suddenly like that. But it looks like you took care of them.

Fix this line with Hijackthis:

O2 - BHO: (no name) - {4FA2B39B-A7DA-983C-68E6-5B095A4118FD} - C:\DOCUME~1\MATT\LOCALS~1\Temp\unoxedmrytg.dll (file missing)



I'm going to leave your thread open for a couple weeks in case any of your problems return, but in the meantime here are some suggestions to keep you out of trouble.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Managing Windows Millenium System Restore

    or

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:) :)
  • 0

#25
busymom36

busymom36

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi Sam,

Glad you kept this post open, as norton found the virus again. This time it showed up in a different file. The message is:

C:\WINDOWS\SYSTEM32\usbhdctl.exe is infected with the Trojan.Desktop.B virus.

The only thing I can think of that we've done, is my son uninstalled Empire Earth Gold Edition as it was freezing up and re-installed it. This program does connect to the internet as it can be played in a multiplayer format. He did this yesterday, and then we got the virus message when Norton ran last night, so I'm assuming the two are connected.

Do you have any information on this? I'd hate to tell him he can't run the game as he purchased it with his own $$$. Do we have any recourse with Sierra?

Let me know what you think.

Thanks!

J.
  • 0

Advertisements


#26
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
It's doubtful that it's directly related to your son's game. Post a hijackthis log and I'll take a look.
  • 0

#27
busymom36

busymom36

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Sorry for the delay - here's the hijack log:

Thanks,

j.

Logfile of HijackThis v1.99.1
Scan saved at 4:40:17 PM, on 9/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\All Users\Documents\HijackThis.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Configuration Utility.lnk = C:\Program Files\MA311 PCI Adapter Configuration Utility\wlanutil.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar5.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar5.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar5.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar5.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar5.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar5.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124669789296
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#28
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log still looks clean to me. Are you having any problems now?

I would strongly recommend installing SP2 and any other Windows updates that are available.
  • 0

#29
busymom36

busymom36

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi,

No other problems and Norton didn't pick up anything last night. I'll try downloading SP2. Back when everything was a mess, I did an automatic update from Microsoft, but I couldn't get it to load at the time. I was going to wait until everything got cleaned up.

Have done everything else - have multiple spyware detection programs and Norton running and set up the firewall.

I should know better - we're very well protected at work but let Norton expire on the kids computer.

Live and Learn.

Thx!

j.
  • 0

#30
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I'm glad I could help. :tazz:

Installing SP2 along with an up to date antivirus will certainly go a long way towards keeping you clean.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP