[mappermom]

Anyone, anyone...

I've been trying to remove this virus for the last three days and haven't had any luck.

I have tried a number of remedies but am unsure how much (or what) information I need to provide yall to help diagnose the problem, so have decided to await further direction.

Any help is greatly appreciated.
Please HELP!

Here is my hijack file:


Logfile of HijackThis v1.99.1
Scan saved at 5:13:12 PM, on 9/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\freecell.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [awxpRQcFQ] lsatdirg.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [DW4] C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwa...eanup3Proj1.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.kohlerplu..._bin/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {FB298ECE-4D17-414A-A5E8-FABC938796B2} (ActiveWebParts Illustration Viewer) - http://www.kohlerplu...awingViewer.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (P) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by mappermom, 14 September 2005 - 04:24 PM.

[Advertisements]

Hi mappermom and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.



Excal

[Excal]

Hi mappermom and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log, in this thread, so I can help you with your Malware Problems.

If you have resolved this issue please let us know.



Excal

[mappermom]

Thanks so much Excal.

I know you are busy, and I really appreciate all the help!
This problem a popular little bugger.

Warm regards,
Nina

Here is my latest hijack file:

Logfile of HijackThis v1.99.1
Scan saved at 10:08:52 AM, on 9/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [awxpRQcFQ] lsatdirg.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [DW4] C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwa...eanup3Proj1.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.kohlerplu..._bin/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {FB298ECE-4D17-414A-A5E8-FABC938796B2} (ActiveWebParts Illustration Viewer) - http://www.kohlerplu...awingViewer.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (P) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Edited by mappermom, 18 September 2005 - 09:15 AM.

[Excal]

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


DOWNLOAD PROGRAMS

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
We will use this program later.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


THE FIX

1. Click this link to be sure you can view hidden files.

2. Ensure you are NOT connected to the internet.

3. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

4. Close all browsers, windows and unneeded programs.

5. Open HiJack and do a scan.

6. Put a Check next to the following items:

O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [awxpRQcFQ] lsatdirg.exe

7. click the Fix Checked box

8. Please remove just the files from the following paths using Windows Explorer (if present):

Use start>search for this file:
Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.
lsatdirg.exe

9. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

10. Open Ad-aware and do a full scan. Remove all it finds.

11. Now open and run Ewido:

• Click on scanner
• Click Complete System Scan and the scan will begin.
• During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
• When the scan is finished, look at the bottom of the screen and click the Save report button.
• Save the report to your desktop

Close Ewido

12. Next go to Control Panel click appearance and themes>click Display > Desktop Tab> click Customize Desktop > Web tab > Uncheck anthing in there if present.

13. Run the program CleanUp!

14. Reboot into normal mode and please run this online virus scan: ActiveScan - Save the results from the scan!

15. Please post the Active scan log, Ewido log, smitfiles.txt log and a fresh HiJackThis log. Let me know how your computer is running.

[mappermom]

Hello Excal,

I've followed the instructions. With two exceptions: I don't know if this is what effected the results. Both the smitrem.exe and the Ad-Aware SE files were open previously as I already had both programs and didn't need to download them.

Thanks,
Nina

Here are the file logs you requested:

1st: Activescan Log
Incident Status Location

Spyware:spyware/smitfraud No disinfected C:\WINDOWS\SYSTEM32\ptainfo1.ico
Adware:adware/exactsearch No disinfected Windows Registry
Dialer:dialer.bb No disinfected HKEY_CLASSES_ROOT\CLSID\{7CD1F456-8BDA-45ED-BC11-4B7340E05315}
Virus:Trj/Lyus.A Disinfected C:\WINDOWS\etry\http_mon.dll
2nd: the Ewido Log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:09:55 PM, 9/18/2005
+ Report-Checksum: 1E758F81

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{120E090D-9136-4b78-8258-F0B44B4BD2AC} -> Spyware.Maxspeed : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} -> Spyware.Maxspeed : Cleaned with backup
:mozilla.8:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.9:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.16:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.22:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.33:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.37:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.38:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.39:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.40:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.42:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Bfast : Cleaned with backup
:mozilla.46:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Counted : Cleaned with backup
:mozilla.55:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.74:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.76:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.77:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.125:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.126:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Onestat : Cleaned with backup
:mozilla.127:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
:mozilla.131:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.136:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.137:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.146:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup
:mozilla.189:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.190:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.191:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.199:C:\Documents and Settings\David Randall\Application Data\Netscape\NSB\Profiles\jv0bjszy.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\WINDOWS\system32:jsaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup


::Report End

3rd: the Hijackthis Log


Logfile of HijackThis v1.99.1
Scan saved at 3:46:02 PM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\freecell.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~3\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [DW4] C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~3\tools\iesdpb.dll
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {234B7457-1A7E-4268-BA71-9936F0C78BEC} (ContentCleanup3X Control) - http://www.contentwa...eanup3Proj1.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://www.kohlerplu..._bin/msxml4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O16 - DPF: {FB298ECE-4D17-414A-A5E8-FABC938796B2} (ActiveWebParts Illustration Viewer) - http://www.kohlerplu...awingViewer.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (Omega 1.6693) (P) (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

[Excal]

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg (make sure that Save as Type is set at "All Files") on your Desktop. Ensure there is no space at or above REGEDIT 4.

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{7CD1F456-8BDA-45ED-BC11-4B7340E05315}]

Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer "Yes" and wait for a message to appear similar to "Merged Successfully".


Just a few random bad files and folders to clean up.

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on "Delete File on Reboot"
• Navigate to this file - C:\WINDOWS\etry\http_mon.dll
• Double click on that file.
• HJT asks you if you want to reboot, now. Click "no".
  
  Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.

C:\WINDOWS\SYSTEM32\ptainfo1.ico

Please remove the following folders using Windows Explorer (if present):

C:\WINDOWS\etry

Post back when you finish and tell me how your computer is running

[mappermom]

Hi Excal:

I have followed your directions upto the highlighted point:


-----------------

...

Just a few random bad files and folders to clean up.

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on "Delete File on Reboot"
Navigate to this file - C:\WINDOWS\etry\http_mon.dll

-----------------------


...and I can't find the file at this location. I have subsequently proformed a search on the on the system for file (http_mon*) but had no luck finding it.

Please inform.

Have I told you how much I appreciate your time and advice?
Thanks again, you're doing a good deed and it is appreciated.
Nina

[Excal]

Lets use this program to see if its still there.

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:

• Click on FileFind.exe
• In the box labeled "Enter the directory to search"
  • Enter Drive eg.. C:\
• In the box labeled "Enter the file to search"
  • Enter the file or use *.(file extention) to search for the file(s)
• Now click on the "Find" button
• Once the utility has found the files click on "Export"
• This will save a text file to your C:\ drive as "Export.txt"
• Double click on Export.txt, copy and paste this information in your next post

[mappermom]

Excal:

0 files were found when I searched using FileFind from Atribune:

http_mon.dll

??
Nina



This is what I found in the C:\WINDOWS\etry directory:


fgh
kbd.log
web.cnf (shortcut)

Edited by mappermom, 21 September 2005 - 09:06 AM.

[Excal]

you may have to do this in safe mode, but go ahead and delete the whole folder:

C:\WINDOWS\etry


Let me know how everything is running.


Thanks,



Excal

[mappermom]

Hi Excal,
Sorry for any delays. I've deleted the folder and files as requested and have been trying since to complete a scan on panda. The scan keeps locking up however it does say that it has 2 spywares.
Nina

[Excal]

try this one instead

Kaspersky



Excal

[mappermom]

Excel,

I finally was able to scan using Kaspersky:

Here are the results.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, September 23, 2005 15:57:23
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 23/09/2005
Kaspersky Anti-Virus database records: 141755
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 51240
Number of viruses found: 8
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 2371 sec

Infected Object Name - Virus Name
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2F4B1625 Infected: Trojan-Clicker.JS.Linker.h
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\325147B1 Infected: Trojan-Clicker.JS.Linker.h
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33841DB6.exe Infected: Trojan-Proxy.Win32.Ranky.bu
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\368F4839.dll Infected: Trojan-Downloader.Win32.Agent.bc
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\418974A3.exe Infected: Backdoor.Win32.Agent.mo
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42B50B58.exe Infected: Backdoor.Win32.Agent.mo
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\495E40E0.exe Infected: Trojan-Proxy.Win32.Ranky.bp
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\50464F4B Infected: Trojan-Clicker.JS.Linker.h
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\50A166E6 Infected: Trojan-Clicker.JS.Linker.h
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\64626BF3.exe Infected: Trojan-Proxy.Win32.Ranky.bp
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\646515EF.exe Infected: Trojan-Proxy.Win32.Ranky.bu
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\76682B83.anr Infected: Trojan-Downloader.Win32.Ani.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\766E7F7C.chm/main.htm Infected: Trojan-Downloader.JS.Miner
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\766E7F7C.chm Infected: Trojan-Downloader.JS.Miner
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\76F11A29.exe Infected: Trojan-Proxy.Win32.Ranky.by

Scan process completed.



Does this mean that the viruses are all in quarantine?? And the system is safe??
Nina

[Excal]

Yes those are all in norton, and those are safe. I would suggest clearing it out

Great job, it appears your computer is clean

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

I recommend that you Defrag your computer before setting your Restore points:

Go to start>all programs>accessories>system tools>Disk Defragmentor Make sure it set to the proper drive (default should be your main driver) and click on defragment


Might I suggest the following Free Spyware programs, if you don't already have them, for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE
Spybot S&D
Microsoft Anti-Spyware


If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast
AntiVir


The following free programs are great for prevention:

SpywareBlaster 3.4
Spywareguard
IE/Spyad

A Firewall is a must! Here are 3 good free versions:
(do not have more than one firewall running on your system)

Sygate
Kerio
ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox
Opera

If you decide to keep Internet Explorer, This site is a great source for tightening up security on It's settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Included in those updates is Windows XP Service Pack 2. Click Here
Since you're junkware free, the time to get it is NOW. Service Pack 2 is a MAJOR upgrade for XP. It adds numerous security and software patches, as well as new features and functionality. You will also be adding another layer of protection against future threats.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided. Also read How I got Infected

[Excal]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.