[chin2]

Hi, I think my PC got infected by WareOut, and also read other people's problem about that too in this forum. I try to fix it myself, usually it works after learning from other people's experiences, but this time I gave up.

I didn't know the problem is very difficult for my PC until the internet connection was very slow since yesterday. I think right now my PC performance is so slow too. When online, I got windows pop-ups about security warning, and XP balloon on the right bottom corner on my desktop. The balloon said that my antivirus is bad and spyware activity was detected on my PC. Right now there's a strange file on my temporary internet files folder named NavBar.xml from hcp://system/panels/NavBar.xml. 2 days ago the file was Balloon.xml and I deleted it, but this time I didn't delete NavBar.xml first, because I thought the main problem wasn't from that file.

About that pop-ups, when I click yes, it goes to www.cyber-spywarexxxx (I forgot the completel url) and actually it was from c:\windows\system32\rdsndin.exe, I had Zone Alarm so I block the connection to there.

After that, I try to find that file myself, but I couldn't find it on that folder, I don't know why. Please help me with this, here's my Hijackthis log file (I put a lot of lines on my ignore lists, because it was very old lines and I already know wasn't dangerous. But I just realized, how to put the lines on ignore list back into normal?):


Logfile of HijackThis v1.99.1
Scan saved at 09:36:57, on 08/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\UPSmart\UPServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\UPSmart\UPSmart.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\khooker.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgbhp.exe
E:\My Documents\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=090205 serial=DR12WRG-4078828-VNG lang=EN
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: UPSmartDB9 - Unknown owner - C:\Program Files\UPSmart\UPServ.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[Advertisements]

my Symantec Antivirus Auto-Protected just caught rdsndin.exe and hclean32.exe and quarantined them, but my PC performance and my Internet Explorer still working slower than usual.

Btw, I already scan with AdAware, Spybot - Search & Destroy, CWShredder, AboutBuster, SpywareDoctor and Symantec Antivirus too. All of them couldn't solve the problems and the spyware/trojan still on my computer.

Regards,
Chin

[chin2]

my Symantec Antivirus Auto-Protected just caught rdsndin.exe and hclean32.exe and quarantined them, but my PC performance and my Internet Explorer still working slower than usual.

Btw, I already scan with AdAware, Spybot - Search & Destroy, CWShredder, AboutBuster, SpywareDoctor and Symantec Antivirus too. All of them couldn't solve the problems and the spyware/trojan still on my computer.

Regards,
Chin

[chin2]

Please help me anyone, I don't remember exactly what I did myself to trying to solving my PC problem, but right now this is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 09:40:56, on 09/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPSmart\UPServ.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\UPSmart\UPSmart.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\khooker.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\fpdisp4.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
E:\My Documents\HijackThis.exe

O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=091705 serial=DR12WRG-4078828-VNG lang=EN
O4 - HKLM\..\Run: [KAV50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0 -chkss
O17 - HKLM\System\CCS\Services\Tcpip\..\{1D5CE4C8-3601-4F04-83EA-77B855F5F4DA}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{66F99341-C2F7-4A7A-B243-8AC030C089D3}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{83B18492-ED0B-4596-8ED7-AC5580691363}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{F655F44F-245A-470B-8529-D24B4E9E01DA}: NameServer = 195.95.218.34,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{FBA23C77-A359-4BB6-AD21-38DA9DA6F668}: NameServer = 195.95.218.34 85.255.112.7
O23 - Service: Kaspersky Anti-Virus Service (KLBLMain) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe" -run bl -n PersonalPro -v 5.0.0.0 -ttsr 10000000 (file missing)