Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

nkadm.exe & sux.dll [RESOLVED]


  • This topic is locked This topic is locked

#1
spencermjax

spencermjax

    New Member

  • Member
  • Pip
  • 6 posts
When I do a full system scan using Norton I get the two alerts listed below and norton cannot quarenten or fix them:

"nkadm.exe
The compressed file nkadm.exe within C:\Program Files\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\rr.dll is infected with the Backdoor.HackDefender virus."


"sux.dll
The compressed file sux.dll within C:\Program Files\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\rr.dll is infected with the Backdoor.Trojan virus."


I did not see any reference to them when using hijackthis, sbybot, or adaware.

I searched the registry and found sux.dll but could not find nkadm.exe

My system seems to be running fine but I would still like to remove the two viruses. Any suggestions?
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

We would still like you to run some spyware scans first and give us the HijackThis log anyway before we go with the removal.

Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.
  • 0

#3
spencermjax

spencermjax

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I also used Spyware Doctor. Is this program anygood? I have posted a log file of what that program found below the Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 4:01:55 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\apache\mysql\data\DNS.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\SYSTEM32\aupdtsvc.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\MSupdate.exe
C:\apache\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\apache\APACHE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\apache\APACHE.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Sandra Jones\Desktop\Randy\spyware\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://google.com"); (C:\Documents and Settings\Sandra Jones\Application Data\Mozilla\Profiles\default\epgpp3yx.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Sandra Jones\Application Data\Mozilla\Profiles\default\epgpp3yx.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter...oad/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgree...eensActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-17.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121992700375
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.walgreens...ploadClient.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter...loadControl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.h.../qdiagh.cab?326
O23 - Service: Indexing Provider (arsch) - Unknown owner - C:\WINDOWS\system32\nets.exe" -netsvcs (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: D.N.S. DNS Server (D.N.S.) - Cat Soft - C:\apache\mysql\data\DNS.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MSUPSV FTP Server (MSUPSV) - Cat Soft - C:\PROGRA~1\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\MSupdate.exe
O23 - Service: MySql - Unknown owner - C:/apache/mysql/bin/mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PHPGeekUtil - Unknown owner - c:\apache\APACHE.EXE" --ntservice (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

*****************************************

Spyware Doctor

Scan Results:
scan start: 10/15/2005 1:54:20 PM
scan stop: 10/15/2005 2:18:36 PM
scanned items: 148254
found items: 23
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Browser Defaults, Favorites and ZoneMap Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner



Infection Name Location Risk
InternetOptimizer HKLM\Software\Microsoft\Internet Explorer\Main##BandRest High
InternetOptimizer HKU\S-1-5-21-2381138938-1238661117-741939197-1007\Software\Microsoft\Internet Explorer\Main##BandRest High
Rogue Anti-Spyware Products C:\Documents and Settings\Sandra Jones\Favorites\randy's links\php\free website tools free php scripts.url High
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@realmedia[1].txt Medium
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@ehg-cygnusbm.hitbox[2].txt Medium
Advertising C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@casalemedia[1].txt Low
Advertising C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@statcounter[1].txt Low
Advertising C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@fastclick[2].txt Low
CWS.XPSystem C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@searchportal.information[1].txt Medium
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@atdmt[2].txt Medium
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@geekstogo[2].txt Medium
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@pricegrabber[2].txt Medium
Advertising C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@com[2].txt Low
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@tribalfusion[2].txt Medium
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@hitbox[2].txt Medium
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@zedo[2].txt Medium
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@atwola[1].txt Medium
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@data.coremetrics[1].txt Medium
Advertising C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@doubleclick[1].txt Low
Tracking Cookie(s) C:\Documents and Settings\Sandra Jones\Cookies\sandra jones@web4.realtracker[2].txt Medium
PSGuard Desktop Hijacker C:\WINDOWS\system32\wppp.html High
ISTbar C:\nc.exe High
CWS C:\WINDOWS\bdvlk.txt High
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I never liked Spyware Doctor, but if you bought it already then tell the program to remove what it found.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop MSUPSV
sc delete MSUPSV
sc stop arsch
sc deletearsch
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.


Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingc...howtutorial=61).

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'.
* Save the report to your desktop.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Sandra Jones\Application Data\Mozilla\Profiles\default\epgpp3yx.slt\prefs.js
)O23 - Service: Indexing Provider (arsch) - Unknown owner - C:\WINDOWS\system32\nets.exe" -netsvcs (file missing)
O23 - Service: MSUPSV FTP Server (MSUPSV) - Cat Soft - C:\PROGRA~1\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\MSupdate.exe

Locate and delete the following:

C:\Program Files\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\
C:\WINDOWS\system32\nets.exe


Restart your computer. Post the logs for HijackThis and Ewido.
  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I never liked Spyware Doctor, but if you bought it already then tell the program to remove what it found.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop MSUPSV
sc delete MSUPSV
sc stop arsch
sc deletearsch
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.


Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingc...howtutorial=61).

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'.
* Save the report to your desktop.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Sandra Jones\Application Data\Mozilla\Profiles\default\epgpp3yx.slt\prefs.js
)O23 - Service: Indexing Provider (arsch) - Unknown owner - C:\WINDOWS\system32\nets.exe" -netsvcs (file missing)
O23 - Service: MSUPSV FTP Server (MSUPSV) - Cat Soft - C:\PROGRA~1\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\MSupdate.exe

Locate and delete the following:

C:\Program Files\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\
C:\WINDOWS\system32\nets.exe


Restart your computer. Post the logs for HijackThis and Ewido.
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I never liked Spyware Doctor, but if you bought it already then tell the program to remove what it found.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

sc stop MSUPSV
sc delete MSUPSV
sc stop arsch
sc deletearsch
del delete.bat


Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.


Restart your computer and boot into Safe Mode (if you don't know how, go to http://www.bleepingc...howtutorial=61).

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'.
* Save the report to your desktop.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Sandra Jones\Application Data\Mozilla\Profiles\default\epgpp3yx.slt\prefs.js
)O23 - Service: Indexing Provider (arsch) - Unknown owner - C:\WINDOWS\system32\nets.exe" -netsvcs (file missing)
O23 - Service: MSUPSV FTP Server (MSUPSV) - Cat Soft - C:\PROGRA~1\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\MSupdate.exe

Locate and delete the following:

C:\Program Files\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\
C:\WINDOWS\system32\nets.exe


Restart your computer. Post the logs for HijackThis and Ewido.
  • 0

#7
spencermjax

spencermjax

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
before I get started, how do I locate "C:\Program Files\WindowsUpdate\Panel.{21EC2020-3AEA-1069-A2DD-08002B30309D}\" ? That is where the 2 orginal virus problems were detected.
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It's in My Computer->C: drive->Program Files....
  • 0

#9
spencermjax

spencermjax

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
I found the hidden "WindowsUpdate" folder...BUT...The only thing in that folder was the Panel icon that brings me to the control panel. there were not even any hidden files in that folder???

Edited by spencermjax, 15 October 2005 - 06:54 PM.

  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I have suspicions about that folder. Do you by any chance know if it's a legitimate Windows Update folder? I don't think any harm can be done, so let's give this a try. Delete that whole WindowsUpdate folder.
  • 0

#11
spencermjax

spencermjax

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
When I try to delete it I get this error:

cannot delete modula.dll: Access denied
Make sure the disk is not full or write protected
and that the file is not currently in use.

I have tried to uncheck the read-only but it just keeps resetting it. I also unchecked the indexing feature for the folder. I did this for the folder and all ubfolders and files.
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Still thinking about this folder myself :tazz: I hesitated before asking you to delete it earlier because it looks very similar to a Windows Update folder I seen before in the Program Files folder. Does your Windows Update folder have a space between the two words or not? If not, that makes me feel better :)

Right click and go to Properties. How big is this folder and when was it created? Was it created recently?

If it still won't allow you to delete it, try deleting in Safe Mode (if you didn't do so already).
  • 0

#13
spencermjax

spencermjax

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
greyknight17,

I should have replied sooner...sorry.

After not being able to delete the folder as you recomended, I went on with my life for a day or two then was going to get to work on cleaning my computer. I thought I would try to delete the folder one last time before trying other things and it worked. I was able to delete the folder and its contents. Not sure why I was all of a sudden able to delete it, but hey...I'm not one to complain. I then did a full system scan (Norton) and found no infections!!!! Yipeeeeee!!!!
I have also not had any other system problems due to the deletion of that folder/files.

Thanks for all of your help!
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP