Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

WinFixer Problem [resolved]

Started by SPIN1 , Nov 05 2005 07:37 PM

  • This topic is locked This topic is locked

#1
SPIN1
Posted 05 November 2005 - 07:37 PM

SPIN1

    New Member

  • Member
  • Pip
  • 6 posts
HI,

I ran Ad-aware SE.

I ran Ewida and here is the log file.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:21:13 PM, 11/5/2005
+ Report-Checksum: E8FAD5F3

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/QDow_AS2.dll\\.Owner -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/QDow_AS2.dll\\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-1243559909-3078323134-1383738234-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKU\S-1-5-21-1243559909-3078323134-1383738234-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1243559909-3078323134-1383738234-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1243559909-3078323134-1383738234-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1243559909-3078323134-1383738234-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.108:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
:mozilla.109:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.162:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.163:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.204:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.210:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.225:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.226:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.228:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.229:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Marty\Application Data\Mozilla\Firefox\Profiles\default.35x\cookies.txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Marty\Cookies\marty@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Marty\Cookies\marty@atdmt[1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Marty\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Marty\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Marty\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Marty\Local Settings\Temporary Internet Files\Content.IE5\2PVR628M\mm[1].js -> Spyware.Chitika : Cleaned with backup
C:\WINDOWS\SYSTEM32\ddccc.dll -> Spyware.Virtumonde : Cleaned with backup
C:\WINDOWS\SYSTEM32\sstqq.dll -> TrojanDownloader.ConHook.n : Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End


I ran Hijack This and here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 8:29:15 PM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\ddccc.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.WINDOWSUPDATE.COM
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks kn advance for your help.


Marty
  • 0

Advertisements

#2
SPIN1
Posted 05 November 2005 - 07:44 PM

SPIN1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
As an extra added attraction I got a popup from: hxxxp://202.67.220.230/sec.../?aid=vm_fm_...=1&ex=1&lid=spy

from a site called Security Center, telling me I have spyware and selling Win Antivirus Pro 2005 and Win AntiSpyWare 2005. I'm not sure if this is related to the WinFixer problem or not, but I thought I might add this to my posting.

Thanks.

Edited by g2i2r4, 06 November 2005 - 12:13 PM.

  • 0

#3
g2i2r4
Posted 06 November 2005 - 12:19 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome SPIN1 to Geeks to Go!

Please print these instructions out for use in Safe Mode.
Please note: your Antivirus program may prompt you to a malicious script trying to run. Allow the entire script once.

Please download VundoFix.exe by Atribune© to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\system32\ddccc.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\system32\cccdd.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:
    O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\ddccc.dll

    O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Run the Free use Panda Active Scan.

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#4
SPIN1
Posted 06 November 2005 - 02:59 PM

SPIN1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

I was able to run Vundofix, but not Panda Active Scan. The page shows "error on page" and the scan never starts. As a result of these changes are now get a fatal error when starting Firefox. It says there was an error and the app closes. Any suggestions?

Here is the Vundofix log file:

VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\Windows\system32\ddccc.dll

The second filepath entered was C:\Windows\system32\cccdd.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 132 'smss.exe'

Killing PID 740 'explorer.exe'
Killing PID 740 'explorer.exe'
Killing PID 740 'explorer.exe'


Killing PID 204 'winlogon.exe'
Killing PID 204 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\Windows\system32\ddccc.dll Deleted sucessfully.
C:\Windows\system32\cccdd.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Here is the HijackThis log. I noticed that the ddccc.dll is still there. I followed the original directions as indicated. I did note that the second path was different than the first, ddccc.dll vs. cccdd.*

Please advise. Thanks again for the quick reply.

Logfile of HijackThis v1.99.1
Scan saved at 3:53:54 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\ddccc.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.WINDOWSUPDATE.COM
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#5
g2i2r4
Posted 06 November 2005 - 03:30 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Open HijackThis
Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\ddccc.dll (file missing)

O20 - Winlogon Notify: ddccc - C:\WINDOWS\system32\ddccc.dll (file missing)

Close all programs leaving only HijackThis running.
Click on Fix Checked when finished and exit HijackThis.

***

Reboot the computer.

***

I haven't seen this infection having any effect on FireFox yet. You may want to re-install FireFox. Be sure to save your bookmarks before you uninstall.

***

Reset Internet Explorer to defaults:
Download and double click on IEFIX.reg and allow it to merge into the Registry.

***

Try to rerun Panda and post me the report.
  • 0

#6
SPIN1
Posted 06 November 2005 - 07:17 PM

SPIN1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

Ran Hijack This again and I think it got rid of the registry entries. Still not able to run Panda. Keep getting error on page message in the link bar and nothing happens when I click on scan my computer.

Here is the Hijack log. Is this a good time to reset my restore point, or should I do something else first to confirm it's gone? Please help with resetting my restore point.

Logfile of HijackThis v1.99.1
Scan saved at 8:12:11 PM, on 11/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/home.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.WINDOWSUPDATE.COM
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com..._1/axofupld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - Unknown owner - C:\Program Files\ewido\security suite\ewidoctrl.exe (file missing)
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again
  • 0

#7
g2i2r4
Posted 07 November 2005 - 10:38 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Did you do the IEfix.reg?
Sometimes the cause is because of missing visual basic runtime files. Installing them can solve the problem, because those are also needed for ActiveX:
Go here to download a selfextracting file that may solve the problem.

See if you can do Panda now.
  • 0

#8
SPIN1
Posted 08 November 2005 - 06:52 AM

SPIN1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

I downloaded the VB runtime files and that didn't help. I did find that if I went to www.panda.com and followed the links to Active Scan, it will work.


Here is the Active Scan log:

Incident Status Location

Spyware:spyware/clearsearch No disinfected C:\PROGRAM FILES\ClearSearch
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/powerscan No disinfected Windows Registry
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP630\A0030793.dll
Thanks
  • 0

#9
g2i2r4
Posted 08 November 2005 - 04:53 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
:tazz: The Panda tip is just what I need! Thanks for letting me know.

Please remove these two folders:
C:\PROGRAM FILES\ClearSearch
C:\PROGRAM FILES\Lycos

Please update and run AdAware SE 1.06. Let it remove what it finds.

Let me know if the computer is running okay now.
  • 0

#10
SPIN1
Posted 08 November 2005 - 09:34 PM

SPIN1

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Hi,

I removed the two folders and ran Ad-ware SE. It found and removed one item. The system is running fine now. Is this a good time to reset my restore point?

I will be making a donation to support you in the important work you are doing!

Thanks again.
  • 0

#11
g2i2r4
Posted 09 November 2005 - 03:57 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Thank you again for the donation.

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

*********************

Please follow these simple steps in order to keep your computer clean and secure:
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer always has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & Hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware – Download and install Ad-Aware. You should also scan your computer with this program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from your Computer

  • Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

You may want to check this fine article by Tony Klein: How did I get infected in the first place?

Glad I was able to help.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP