Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Problem with PSGuard [RESOLVED]


  • This topic is locked This topic is locked

#1
beremat

beremat

    New Member

  • Member
  • Pip
  • 9 posts
Hi,

I'm having problems with that program that warns me about spyware and viruses and wants me to buy there protection program.

I went through all the step in the "You must read this before..."

Here's the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 23:18:25, on 12-09-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\Downloads\Nettoyage\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.security2k.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.security2...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.security2k.net
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~2\COPERN~1\COPERN~1.DLL
O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\system32\hpBE5E.tmp
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\programes\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Chercher avec Copernic Agent - res://C:\programes\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_fr.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z....llInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Thanks in advance

beremat
  • 0

Advertisements


#2
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Downloads
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.security2k.net/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.security2...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.security2...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.security2k.net
O2 - BHO: HomepageBHO - {893fad3a-931e-4e53-b515-b1426d63799b} - C:\WINDOWS\system32\hpBE5E.tmp
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://appldnld.m7z....llInstaller.exe

Please remember to close all other windows, including browsers then click Fix checked.

File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\system32\hpBE5E.tmp

Run Downloaded Programs
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Further Scanning
Please run a Scan at the Following site
Panda ActiveScan

Make sure that you choose the "fix" or "clean" option when available
at the end of this scan you will be given then option to save a log from the scan -SAVE THAT LOG- and post it here

post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#3
beremat

beremat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Skate_punk_21,

I had to follow your instructions twice, since the hijackthis scan reported the same malware after the first pass. It seems to be OK now.
Here are the logs as you requested:

________________________________________________________________
smitRem log file
version 2.3
by noahdfear

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!
ShudderLTD key was successfully removed! :tazz:

Pre-run Files Present
~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Post-run Files Present

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

__________________________________________________________

EWIDO LOG: (since my system in in French, ewido installed in French...Sorry)

---------------------------------------------------------
ewido security suite - Rapport de scan
---------------------------------------------------------

+ Créé le: 21:27:31, 17-09-2005
+ Somme de contrôle: D518FAE7

+ Résultats du scan:

HKU\S-1-5-21-3009342548-809299238-1685927933-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Nettoyer et sauvegarder
HKU\S-1-5-21-3009342548-809299238-1685927933-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -> Spyware.ComLoad : Nettoyer et sauvegarder
C:\Documents and Settings\Éric\Cookies\éric@com[2].txt -> Spyware.Cookie.Com : Nettoyer et sauvegarder
C:\WINDOWS\system32\checkIn.dll -> Dialer.Generic : Nettoyer et sauvegarder


::Fin du rapport

___________________________________________________________________

PANDA LOG: (1st pass)

Incident Status Location

Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ld123B.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ld3627.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ld893B.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldAAD6.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldAF89.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldB352.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldB9BA.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldBAE3.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldC0CF.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldC1AA.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldC66C.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldC6BB.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldCBCB.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldCD71.tmp
Virus:Trj/Downloader.ETA Disinfected C:\WINDOWS\system32\ldF91D.tmp
Virus:Trj/Agent.AMU Disinfected C:\WINDOWS\system32\mssearchnet.exe
Virus:Trj/Agent.AMU Disinfected C:\WINDOWS\system32\msvol.tlb
Adware:Adware/Startpage.AHR No disinfected C:\WINDOWS\system32\nvctrl.exe
PANDA LOG (2d pass)


Incident Status Location

Adware:Adware/Startpage.AHR No disinfected C:\WINDOWS\system32\nvctrl.exe
NOTE: I WAS ABLE TO DELETE THAT "nvctrl" FILE MANUALLY.

___________________________________________________________________

HIJACKTHIS log


Logfile of HijackThis v1.99.1
Scan saved at 11:42:54, on 18-09-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Downloads\Nettoyage\Hijackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~2\COPERN~1\COPERN~1.DLL
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\programes\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Fichiers communs\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: Lancement rapide d'Adobe Reader.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Chercher avec Copernic Agent - res://C:\programes\Copernic Agent\CopernicAgentExt.rdl/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Démarrer Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~2\COPERN~1\COPERN~1.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...RdxIE601_fr.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Service Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHIE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Fichiers communs\Symantec Shared\SNDSrvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



Finally, my zonealarm just warned me again that "winlogon" was trying to access the internet. I refused the program to go out. I didn't took time to take note of the address it was trying to go to. I will reboot and repost the details about that event. I don't know if it's normal or a possible threat....

beremat
  • 0

#4
beremat

beremat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OK,

The zonealarm warning can be translated as follows:

WINLOGON.EXE tries to access to the internet
Destination IP: 69.50.188.51 HTTP


I really don't know what winlogon is trying to do and I will not allow it to go there.

Bye

Edited by beremat, 18 September 2005 - 04:24 PM.

  • 0

#5
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Download MWaveScan
  • Double-click mwav.exe and unzip it to its default Directory @ C:\Kaspersky
  • Locate "kavupd.exe" in the New Folder and Double Click to Update.
  • If it says the signatures are more than 30 days old, keep trying!
  • Keep trying until you get the actual signatures! (it will say "downloading yadda yadda yadda")
  • When you see "Updates downloaded Successfully, please press any key to continue" go ahead, but do not run anything else in this folder...

Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


Now go to the Kaspersky folder-> Locate and Double Click "mwavscan.com" to launch the MWAV Scanner!

Once opened-> Leave the Default Settings "ticked" and add a "tick" to"Drives"-> this will light up "All Drives"-> Add a "tick" to "Scan all Files"-> Click "Scan Clean" to begin!
This Scan may take Several Hours or more to Complete,Depending on the Hard Drive Size!

Please be sure it is Completed before proceeding!

1. Once the Scan has finished, All entries Identified as Infected will displayed in the lower pane! - Highlight everything that is inside the lower pane and press Ctrl+C at the same time to Copy!
2. Open a Blank Notepad Page and Paste the results (Ctrl+V) to it and Save it to your Desktop!

post that log here
  • 0

#6
beremat

beremat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I was thinking it was OK but it wasn't...

Here's the log from MWaveScan:

File C:\WINDOWS\system32\c_85hell.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\dsprtesp.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\ld40EC.tmp infected by "Trojan-Downloader.Win32.Zlob.am" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\ldABE0.tmp infected by "Trojan-Downloader.Win32.Zlob.am" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\ldDCD3.tmp infected by "Trojan-Downloader.Win32.Zlob.am" Virus. Action Taken: File Deleted.
File C:\WINDOWS\system32\msdthost.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\ntshircl.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\winlcp32.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\WINDOWS\system32\wmvdpres.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\Downloads\Nettoyage\Hijackthis\backups\backup-20050911-194147-801.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\Downloads\Nettoyage\Hijackthis\backups\backup-20050911-194640-615.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\Downloads\Nettoyage\Hijackthis\backups\backup-20050911-221900-841.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\Downloads\Nettoyage\Hijackthis\backups\backup-20050912-211341-107.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\Downloads\Nettoyage\Hijackthis\backups\backup-20050912-211406-358.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\Downloads\Nettoyage\Hijackthis\backups\backup-20050912-212409-586.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\Downloads\Nettoyage\Hijackthis\backups\backup-20050913-212059-751.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\Downloads\Nettoyage\Hijackthis\backups\backup-20050917-194704-596.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\Downloads\Nettoyage\Hijackthis\backups\backup-20050917-223112-659.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034613.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034616.exe infected by "Trojan-Downloader.Win32.Small.ait" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034617.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034618.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034619.exe infected by "Trojan-Clicker.Win32.Small.dx" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034626.exe infected by "Trojan-Downloader.Win32.Small.ait" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034627.exe infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034628.exe infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034629.dll infected by "Virus.Win32.Nsag.b" Virus. Action Taken: File Disinfected.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034630.exe infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034651.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034656.dll infected by "Trojan-Downloader.Win32.Agent.iu" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034657.dll infected by "Trojan-Downloader.Win32.Agent.iu" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034658.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034659.exe infected by "Trojan-Clicker.Win32.Small.dv" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034660.exe infected by "Trojan-Clicker.Win32.Small.dx" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0034661.exe tagged as not-a-virus:AdWare.WinAD.p. No Action Taken.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0035292.dll tagged as not-a-virus:AdWare.WinAD. No Action Taken.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0035380.EXE tagged as not-a-virus:AdWare.ToolBar.MyWay.b. No Action Taken.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0035381.DLL tagged as not-a-virus:AdWare.ToolBar.MyWay.m. No Action Taken.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0035398.EXE tagged as not-a-virus:Client-IRC.Win32.mIRC.601. No Action Taken.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0035766.exe tagged as not-a-virus:AdWare.Cydoor. No Action Taken.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0035817.EXE tagged as not-a-virus:AdWare.Gator.1050. No Action Taken.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0036416.EXE tagged as not-a-virus:AdWare.Altnet.m. No Action Taken.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0037586.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken:
File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0037980.EXE tagged as not-a-virus:AdWare.ToolBar.MyWay.b. No Action Taken.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP191\A0037981.DLL tagged as not-a-virus:AdWare.ToolBar.MyWay.m. No Action Taken.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP192\A0040091.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040110.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040480.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040716.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040718.dll infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040748.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040757.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040766.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040776.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040785.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040841.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040848.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040859.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040868.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040881.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040891.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040905.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040913.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040943.dll infected by "Trojan.Win32.Dialer.ks" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040949.tlb infected by "Trojan.Win32.Puper.az" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0040953.exe infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP193\A0042022.exe infected by "Trojan-Downloader.Win32.Zlob.am" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP194\A0042062.exe infected by "Trojan.Win32.StartPage.acv" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042115.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042116.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042117.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042118.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042119.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042120.dll infected by "Virus.Win32.Bayan-based" Virus. Action Taken: File Renamed.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042121.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042122.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042123.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042124.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042125.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042126.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042127.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042128.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
File C:\System Volume Information\_restore{51C59784-4740-4DD0-BFBD-2D3F85C37A8A}\RP196\A0042129.dll infected by "Trojan.Win32.Small.fs" Virus. Action Taken: File Deleted.
  • 0

#7
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
How are things running now?? improvements? :tazz:
let me know, everything looks good, then i'll post my prevention speech
  • 0

#8
beremat

beremat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Oh yeah, everything looks good. As I said, I was under the impression that the system was clean until you asked me to scan it with MWaveScan and that I saw the bad stuff being removed. Even the winlogon prompt had stopped to let me know it was OK.

Thanks a lot to you skate_punk_21 for your help, and to Geeks to Go Forum for this site.


Now, you can go with your prevention speech... I'll read it!


Thanks again


Beremat
  • 0

#9
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Congratulations Your Log is Clean!!

If you are still having trouble, please dont continue with these instructions just yet. LET ME KNOW!

Otherwise, we have a few clean up items to deal with.

1. System Restore
Now that we know your system is clean, we want to purge any potentially infected restore points. To do that, complete the following:

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

To re-enable this function - simply uncheck this same box, and click "apply" and "ok"


2. Reset Hidden Files & Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is UNchecked. Also make sure that the System Files and Folders are invisible. CHECK the Hide protected operating system files option.


Also Consider...
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:
How is she running now? Any further problems? If not, Good work, and Happy Computing!

Please reply once more so we know you have read these measures.
  • 0

#10
beremat

beremat

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Yes skate-punk-21,

I've read your suggestions and I'll try to apply most of them.

Thanks again


Beremat
  • 0

#11
skate_punk_21

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP