Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

It was my turn to deal with Win AntiSpyware


  • This topic is locked This topic is locked

#1
Steelman

Steelman

    New Member

  • Member
  • Pip
  • 3 posts
Now it was my turn to be infected with this plague. I followed all your instructions and tryied dozens of programs and it was impossible to remove this annoying popup.

Here is my HiJack This log. Please, help me and thanks for your help:

Logfile of HijackThis v1.99.1
Scan saved at 4:22:23, on 13-09-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Lexmark 7100 Series\lxbxmon.exe
C:\Programas\Lexmark 7100 Series\ezprint.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\Programas\Microsoft AntiSpyware\gcasServ.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
G:\Telemóvel\WatchDog.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programas\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
C:\Programas\Java\jre1.5.0_02\bin\jusched.exe
C:\Programas\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programas\Microsoft AntiSpyware\gcasDtServ.exe
G:\Webshots\webshots.scr
C:\WINDOWS\System32\GEARSec.exe
C:\Programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Programas\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ofps.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\NORTON~3\navw32.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tsf.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.publico.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
F2 - REG:system.ini: Shell=Explorer.exe install32m.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar2.dll
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Programas\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Programas\Lexmark 7100 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Programas\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WatchDog] G:\Telemóvel\WatchDog.exe
O4 - HKLM\..\Run: [Talki] C:\Programas\IOL\Talki\softphone.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=091505 serial=dr12wex-1504397-kty lang=BP
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Programas\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [sys2339] C:\WINDOWS\system32\sys2339.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Programas\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Talki] C:\Programas\IOL\Talki\softphone.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk = G:\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\programas\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programas\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programas\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programas\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Programas\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Similar Pages - res://c:\programas\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programas\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.geoweb.pt...r2/mgaxctrl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123530993968
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mcfG7A - C:\WINDOWS\SYSTEM32\mcfG7A.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Programas\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Programas\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Programas\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OmniForm Printer - Unknown owner - C:\WINDOWS\system32\ofps.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Programas\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

Advertisements


#2
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome Steelman to Geeks to Go!

Download the Killbox.
Unzip it to the desktop

Double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each

C:\WINDOWS\SYSTEM32\install32m.exe

For these file, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.
Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

***

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

***

Then run HijackThis, click Scan, and place a checkmark by the following item:

F2 - REG:system.ini: Shell=Explorer.exe install32m.exe

O4 - HKLM\..\Run: [sys2339] C:\WINDOWS\system32\sys2339.exe

O20 - Winlogon Notify: mcfG7A - C:\WINDOWS\SYSTEM32\mcfG7A.dll


Close all open windows except for HijackThis and click Fix Checked.

***

Download and install Cleanup from here (Alternate site if the above is not working, go Here)

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

***

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log.
  • 0

#3
Steelman

Steelman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Dear g2i2r4:

Thank you so much for your help! I did what you told me and the results of the ActiveScan was null in every points analised. Bellow you will find the actual HJT log. I already opened several times my IE browser and I didn't found any problem. At this moment I'm waiting for my new credit card from my bank, so in a few days you can be assured that I will make a donation for all this project! Certainly, deserve it!

Thanks again,

Steelman
PORTUGAL



Logfile of HijackThis v1.99.1
Scan saved at 17:34:22, on 13-09-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Symantec

Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec

Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Symantec

Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\Ficheiros comuns\Symantec

Shared\ccApp.exe
C:\Programas\Lexmark 7100 Series\lxbxmon.exe
C:\Programas\Lexmark 7100 Series\ezprint.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\Programas\Norton SystemWorks\Norton

AntiVirus\navapsvc.exe
C:\Programas\Microsoft

AntiSpyware\gcasServ.exe
C:\Programas\Ficheiros

comuns\Real\Update_OB\realsched.exe
C:\Programas\QuickTime\qttask.exe
G:\Telemóvel\WatchDog.exe
C:\Programas\Norton SystemWorks\Norton

Ghost\Agent\PQV2iSvc.exe
C:\Programas\Google\Google Desktop

Search\GoogleDesktop.exe
C:\Programas\Microsoft

AntiSpyware\gcasDtServ.exe
C:\Programas\Google\Google Desktop

Search\GoogleDesktopIndex.exe
C:\Programas\Google\Google Desktop

Search\GoogleDesktopDisplay.exe
C:\Programas\Google\Google Desktop

Search\GoogleDesktopCrawl.exe
C:\Programas\Norton SystemWorks\Norton

AntiVirus\IWP\NPFMntor.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\ABBYY FineReader 7.0 Professional

Edition\AbbyyNewsReader.exe
C:\Programas\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Programas\Norton SystemWorks\Norton

Ghost\Agent\GhostTray.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Adobe\Acrobat

6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\nvsvc32.exe
G:\Webshots\webshots.scr
C:\WINDOWS\system32\ofps.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.E

XE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec

Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\lxbxcoms.exe
C:\Programas\Google\Google Desktop

Search\GoogleDesktopOE.exe
C:\WINDOWS\explorer.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Start Page = http://www.tsf.pt/
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page =

http://www.publico.pt/
R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Window Title = Microsoft

Internet Explorer
R0 - HKCU\Software\Microsoft\Internet

Explorer\Toolbar,LinksFolderName =

Hiperligações
R3 - URLSearchHook: (no name) -

{BE89472C-B803-4D1D-9A9A-0A63660E0FE3} -

C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Programas\Adobe\Acrobat

6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper -

{AA58ED58-01DD-4d91-8333-CF10577473F7} -

c:\programas\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class -

{AE7CD045-E861-484f-8273-0445EE161910} -

C:\Programas\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper -

{BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Programas\Norton SystemWorks\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Programas\Norton SystemWorks\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF -

{47833539-D0C5-4125-9FA8-0819E2EAAC93} -

C:\Programas\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google -

{2318C2B1-4965-11d4-9B18-009027A5CD4F} -

c:\programas\google\googletoolbar2.dll
O3 - Toolbar: Copernic Agent -

{F2E259E8-0FC8-438C-A6E0-342DD80FA53E} -

C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe

/startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck]

C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp]

"C:\Programas\Ficheiros comuns\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy]

"C:\Programas\Ficheiros comuns\Symantec

Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [lxbxmon.exe]

"C:\Programas\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1]

"C:\Programas\Lexmark 7100 Series\fm3032.exe"

/s
O4 - HKLM\..\Run: [EzPrint]

"C:\Programas\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [MessengerPlus3]

"C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [gcasServ]

"C:\Programas\Microsoft

AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe]

"C:\Programas\Ficheiros

comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Programas\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [WatchDog]

G:\Telemóvel\WatchDog.exe
O4 - HKLM\..\Run: [Talki]

C:\Programas\IOL\Talki\softphone.exe
O4 - HKLM\..\Run: [Google Desktop Search]

"C:\Programas\Google\Google Desktop

Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite

11b] C:\Programas\Corel\Corel Graphics

12\Languages\BR\Programs\Registration.exe

/title="CorelDRAW Graphics Suite 12"

/date=091505 serial=dr12wex-1504397-kty

lang=BP
O4 - HKLM\..\Run: [FineReader7NewsReaderPro]

C:\Programas\ABBYY FineReader 7.0 Professional

Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]

C:\Programas\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0]

C:\Programas\Norton SystemWorks\Norton

Ghost\Agent\GhostTray.exe
O4 - HKCU\..\Run: [MessengerPlus3]

"C:\Programas\MessengerPlus! 3\MsgPlus.exe"

/WinStart
O4 - HKCU\..\Run: [Talki]

C:\Programas\IOL\Talki\softphone.exe
O4 - HKCU\..\Run: [Norton SystemWorks]

"C:\Programas\Norton SystemWorks\cfgwiz.exe"

/GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A}

/MODE CfgWiz
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN

Messenger\msnmsgr.exe" /background
O4 - Startup: Webshots.lnk =

G:\Webshots\Launcher.exe
O4 - Global Startup: Acrobat Assistant.lnk =

C:\Programas\Adobe\Acrobat

6.0\Distillr\acrotray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet

Explorer\Control Panel present
O8 - Extra context menu item: &Google Search -

res://c:\programas\google\GoogleToolbar2.dll/c

msearch.html
O8 - Extra context menu item: &Translate

English Word -

res://c:\programas\google\GoogleToolbar2.dll/c

mwordtrans.html
O8 - Extra context menu item: Backward Links -

res://c:\programas\google\GoogleToolbar2.dll/c

mbacklinks.html
O8 - Extra context menu item: Cached Snapshot

of Page -

res://c:\programas\google\GoogleToolbar2.dll/c

mcache.html
O8 - Extra context menu item: E&xportar para o

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/

3000
O8 - Extra context menu item: Search Using

Copernic Agent - res://C:\Programas\Copernic

Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SE

ARCHEXT
O8 - Extra context menu item: Similar Pages -

res://c:\programas\google\GoogleToolbar2.dll/c

msimilar.html
O8 - Extra context menu item: Translate Page

into English -

res://c:\programas\google\GoogleToolbar2.dll/c

mtrans.html
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.

dll
O9 - Extra 'Tools' menuitem: Sun Java Console

- {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.

dll
O9 - Extra button: (no name) -

{193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} -

C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic

Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084}

- C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent -

{688DC797-DC11-46A7-9F1B-445F4F58CE6E} -

C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Pesquisar -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger

- {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Programas\Messenger\msmsgs.exe
O16 - DPF:

{1F2F4C9E-6F09-47BC-970D-3C54734667FE}

(LSSupCtl Class) -

http://www.symantec....pp/asa/LSSupCtl.

cab
O16 - DPF:

{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

(Symantec AntiVirus scanner) -

http://security.syma...cv6/SharedConte

nt/vc/bin/AvSniff.cab
O16 - DPF:

{62789780-B744-11D0-986B-00609731A21D}

(Autodesk MapGuide ActiveX Control) -

http://www.geoweb.pt...r2/mgaxctrl.cab
O16 - DPF:

{644E432F-49D3-41A1-8DD5-E099162EEEC5}

(Symantec RuFSI Utility Class) -

http://security.syma...cv6/SharedConte

nt/common/bin/cabsa.cab
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://update.micros...rosoftupdate/v6

/V5Controls/en/x86/client/muweb_site.cab?11235

30993968
O16 - DPF:

{74D05D43-3236-11D4-BDCD-00C04F9A3B61}

(HouseCall Control) -

http://a840.g.akamai...537/2004061001/

housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF:

{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}

(ActiveScan Installer Class) -

http://www.pandasoft...tivescan/as5fre

e/asinst.cab
O16 - DPF:

{B38870E4-7ECB-40DA-8C6A-595F0A5519FF}

(MsnMessengerSetupDownloadControl Class) -

http://messenger.msn...ad/MsnMessenger

SetupDownloader.cab
O16 - DPF:

{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}

(ActiveDataInfo Class) -

http://www.symantec....pp/asa/SymAData.

cab
O18 - Protocol: msnim -

{828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file

missing)
O20 - Winlogon Notify: mcfG7A -

C:\WINDOWS\SYSTEM32\mcfG7A.dll
O23 - Service: Symantec Event Manager

(ccEvtMgr) - Symantec Corporation -

C:\Programas\Ficheiros comuns\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation

(ccPwdSvc) - Symantec Corporation -

C:\Programas\Ficheiros comuns\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager

(ccSetMgr) - Symantec Corporation -

C:\Programas\Ficheiros comuns\Symantec

Shared\ccSetMgr.exe
O23 - Service: GEARSecurity - GEAR Software -

C:\WINDOWS\System32\GEARSec.exe
O23 - Service: lxbx_device - Lexmark

International, Inc. -

C:\WINDOWS\system32\lxbxcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect

Service (navapsvc) - Symantec Corporation -

C:\Programas\Norton SystemWorks\Norton

AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec

Corporation - C:\Programas\Norton

SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall

Monitor Service (NPFMntor) - Symantec

Corporation - C:\Programas\Norton

SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection

(NProtectService) - Symantec Corporation -

C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OmniForm Printer - Unknown

owner - C:\WINDOWS\system32\ofps.exe
O23 - Service: SAVScan - Symantec Corporation

- C:\Programas\Norton SystemWorks\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service

(SBService) - Symantec Corporation -

C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.

exe
O23 - Service: Symantec Network Drivers

Service (SNDSrvc) - Symantec Corporation -

C:\Programas\Ficheiros comuns\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) -

Symantec Corporation - C:\Programas\Ficheiros

comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec

Corporation -

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.E

XE
O23 - Service: Symantec Core LC - Symantec

Corporation - C:\Programas\Ficheiros

comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#4
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
A donation will be much appreciated, but let's first do this. I don't want to leave you with something...

Please go here: Jotti Virus Scan

Click the "browse" button and locate this file:

C:\WINDOWS\SYSTEM32\mcfG7A.dll

Click "Open", then click the "Submit" button. Copy the results and paste them here.
  • 0

#5
Steelman

Steelman

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I don´t know what to say! This machine is infested. Here are the results:

File: mcfG7A.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 8c1dc8542ef98f23032d887eca463719
Packers detected: -
Scanner results
AntiVir Found Trojan/Spy.Goldun.BS
ArcaVir Found Trojan.Spy.Goldun.Bs
Avast Found Win32:Goldun-L
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Trojan.PWS.Egold
F-Prot Antivirus Found nothing
Fortinet Found W32/Goldun.BS-tr
Kaspersky Anti-Virus Found Trojan-Spy.Win32.Goldun.bs
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Spy.Win32.Goldun.bs
  • 0

#6
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
:tazz: No problem, we found it, we will kill it.

Double-click Killbox.exe to run it.

Select "Delete on Reboot".
Place the following line (complete path) in bold in the "Full Path of File to Delete" box in Killbox:
C:\WINDOWS\SYSTEM32\mcfG7A.dll
Put a mark next to "Delete on Reboot"
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.

***

Reboot to safe mode.

***

Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O20 - Winlogon Notify: mcfG7A - C:\WINDOWS\SYSTEM32\mcfG7A.dll

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Reboot back to normal mode.

Post back one more HijackThis log.
Please turn of wordwrap in Notepad!
  • 0

#7
g2i2r4

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Are you using e-gold?
please change your passwords, use another computer for now to do so.


Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")




EDIT:
As there has been no reply from the original poster for more than two weeks this topic is now closed.

If you are the original poster and still need assistance, please send me a PM.

Edited by g2i2r4, 27 September 2005 - 01:26 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP