Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

bloudhound.w32.ep virus [RESOLVED]

Started by piouhvgfbh , Sep 16 2005 06:44 AM

  • This topic is locked This topic is locked

#1
piouhvgfbh
Posted 16 September 2005 - 06:44 AM

piouhvgfbh

    New Member

  • Member
  • Pip
  • 5 posts
Thanx in advance for this help. I just wanted to know how I could remove this bloodhound.w32.ep virus from my computer. Norton keeps on popping up but it can't fix it. Below is my hijac this log.

Logfile of HijackThis v1.99.1
Scan saved at 10:44:30 PM, on 16/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Danny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dsl.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\olecom32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [apiwl32.exe] C:\WINDOWS\system32\apiwl32.exe
O4 - HKLM\..\Run: [apijw.exe] C:\WINDOWS\system32\apijw.exe
O4 - HKLM\..\Run: [sdkzg.exe] C:\WINDOWS\system32\sdkzg.exe
O4 - HKLM\..\Run: [winkq32.exe] C:\WINDOWS\system32\winkq32.exe
O4 - HKLM\..\Run: [atltq.exe] C:\WINDOWS\system32\atltq.exe
O4 - HKLM\..\Run: [appwr.exe] C:\WINDOWS\system32\appwr.exe
O4 - HKLM\..\Run: [ipfj32.exe] C:\WINDOWS\ipfj32.exe
O4 - HKLM\..\Run: [sdkrn.exe] C:\WINDOWS\system32\sdkrn.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [StartPage] C:\Documents and Settings\Danny\rundll32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://1040.justacou...1/deaAU1040.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109812503776
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference... to Spanish.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
  • 0

Advertisements

#2
greyknight17
Posted 16 September 2005 - 08:33 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\olecom32.exe
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [apiwl32.exe] C:\WINDOWS\system32\apiwl32.exe
O4 - HKLM\..\Run: [apijw.exe] C:\WINDOWS\system32\apijw.exe
O4 - HKLM\..\Run: [sdkzg.exe] C:\WINDOWS\system32\sdkzg.exe
O4 - HKLM\..\Run: [winkq32.exe] C:\WINDOWS\system32\winkq32.exe
O4 - HKLM\..\Run: [atltq.exe] C:\WINDOWS\system32\atltq.exe
O4 - HKLM\..\Run: [appwr.exe] C:\WINDOWS\system32\appwr.exe
O4 - HKLM\..\Run: [ipfj32.exe] C:\WINDOWS\ipfj32.exe
O4 - HKLM\..\Run: [sdkrn.exe] C:\WINDOWS\system32\sdkrn.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [StartPage] C:\Documents and Settings\Danny\rundll32.exe
O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://1040.justacou...1/deaAU1040.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab

Delete these if found:

C:\WINDOWS\olecom32.exe
C:\WINDOWS\system32\apiwl32.exe
C:\WINDOWS\system32\apijw.exe
C:\WINDOWS\system32\sdkzg.exe
C:\WINDOWS\system32\winkq32.exe
C:\WINDOWS\system32\atltq.exe
C:\WINDOWS\system32\appwr.exe
C:\WINDOWS\ipfj32.exe
C:\WINDOWS\system32\sdkrn.exe
C:\Program Files\PSGuard\
C:\Documents and Settings\Danny\rundll32.exe - only delete it here
c:\explorer.cab

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop (or Appearance)->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft.../activescan.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Then post the Panda log here along with the logs for HijackThis, smitfiles.txt and Ewido.
  • 0

#3
piouhvgfbh
Posted 17 September 2005 - 12:28 AM

piouhvgfbh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
I did all of what you instructed but the norton virus notification still pops up. Also I couldn't find the log from the smitrem.exe tool I ran. I went to the panda site and clicked on the scan but am not sure if I was given a log, i saved a report I don't know if this was what was requested. Below however are the logs of the other tools.

Logfile of HijackThis v1.99.1
Scan saved at 2:29:54 PM, on 17/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Danny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dsl.optusnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\olecom32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [apiwl32.exe] C:\WINDOWS\system32\apiwl32.exe
O4 - HKLM\..\Run: [apijw.exe] C:\WINDOWS\system32\apijw.exe
O4 - HKLM\..\Run: [sdkzg.exe] C:\WINDOWS\system32\sdkzg.exe
O4 - HKLM\..\Run: [winkq32.exe] C:\WINDOWS\system32\winkq32.exe
O4 - HKLM\..\Run: [atltq.exe] C:\WINDOWS\system32\atltq.exe
O4 - HKLM\..\Run: [appwr.exe] C:\WINDOWS\system32\appwr.exe
O4 - HKLM\..\Run: [ipfj32.exe] C:\WINDOWS\ipfj32.exe
O4 - HKLM\..\Run: [sdkrn.exe] C:\WINDOWS\system32\sdkrn.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKCU\..\Run: [StartPage] C:\Documents and Settings\Danny\rundll32.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://1040.justacou...1/deaAU1040.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109812503776
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference... to Spanish.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:09:35 PM, 17/09/2005
+ Report-Checksum: 4530BB13

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{69A88C5E-04E5-741D-6CA2-9CB5374EB263} -> Spyware.CoolWebSearch : Cleaned with backup
[524] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Cleaned with backup
[1256] C:\WINDOWS\system32\OLEEXT.dll -> Trojan.Agent.ff : Error during cleaning
C:\WINDOWS\apivk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\cdplayer.ini:ezxnd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cdplayer.ini:jiltm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cdplayer.ini:zsgowo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\chipset.log:jykbp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\comsetup.log:jhkqn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\control.ini:betkw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\desktop.ini:uanum -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\dexAU190.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\gdnIN19.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\rdgIN1342.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\rdgIN990.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\explorer.scf:rqcue -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\FaxSetup.log:aeapt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:uivbb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:hpola -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:mgevk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iedu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iekp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javabk.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javama.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\medctroc.Log:srrww -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\medctroc.Log:xoxjli -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\ModemLog_Standard 56000 bps Modem.txt:lnuslj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ModemLog_Standard 56000 bps Modem.txt:pkrza -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ODBC.INI:fufye -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\optimize.exe -> TrojanDownloader.Dyfuca.da : Cleaned with backup
C:\WINDOWS\QTFont.for:qnlth -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\QTFont.qfn:qniqa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\REGLOCS.OLD:yennj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\regopt.log:rhvru -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Santa Fe Stucco.bmp:soynz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SchedLgU.Txt:bowmd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\setupact.log:ynyaa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\setupapi.log:cqbfv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\setuperr.log:tpxlp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\spupdsvc.log:etmtk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Sti_Trace.log:jpjtw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Sti_Trace.log:ycgjk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Sti_Trace.log:zoofg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32:ataa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\adddh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apphx32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\intell32.exe -> Spyware.PSGuard : Cleaned with backup
C:\WINDOWS\system32\javavy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msqo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\system32\sdkze32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\services\dale.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\services\free.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\services\freevideo.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\services\losve.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\syswq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysun32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\tmp.hta -> TrojanDownloader.VBS.Psyme.at : Cleaned with backup
C:\WINDOWS\vbaddin.ini:kqsxu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wgedit.ini:tvlxp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\wiaservc.log:ngqmh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\win.ini:rojqx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\win.ini:xhpim -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\WindowsUpdate.log:afmtw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\WindowsUpdate.log:elabn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winmp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winnt.bmp:spsjwr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winnt256.bmp:chubu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt256.bmp:iaatj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt256.bmp:yhted -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wmsetup.log:zjyzgr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\WMSysPr9.prx:ktrdf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WMSysPrx.prx:aoghu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{5E704509-7310-46B7-9E32-2F7174A41E06}.dat:lhsaq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:aexmv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:aikrnv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:dsggp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:fbyfm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:gbimf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:gopkw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:hroiz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:kzchnu -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:lidyv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:monji -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:ogdcoc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:otrqd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:pdlty -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:rbcjf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:rclft -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:rizan -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:rrqul -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:rykbtk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:sdsiwc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:srotqt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:tvcbsb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:usbni -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:vcuha -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:vnmza -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:wjgrk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:xiqcw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\{F0FB575C-2EEC-47FB-AAC7-1405272A53F5}.dat:xttzdj -> TrojanDownloader.Agent.bc : Cleaned with backup


::Report End


REPORT FROM PANDASOFTWARE

Incident Status Location

Adware:adware/popuper No disinfected C:\c.vbs
Virus:JS/Psyme.gen Renamed C:\cmdexe.hta
Virus:Trj/Downloader.KD Disinfected C:\Documents and Settings\Danny\Desktop\backups\backup-20050917-143328-745.inf
  • 0

#4
greyknight17
Posted 17 September 2005 - 09:40 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
The smitfiles.txt should be located in your C: drive.

Let's try this again since it doesn't seem to have changed anything in your log:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\olecom32.exe
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [apiwl32.exe] C:\WINDOWS\system32\apiwl32.exe
O4 - HKLM\..\Run: [apijw.exe] C:\WINDOWS\system32\apijw.exe
O4 - HKLM\..\Run: [sdkzg.exe] C:\WINDOWS\system32\sdkzg.exe
O4 - HKLM\..\Run: [winkq32.exe] C:\WINDOWS\system32\winkq32.exe
O4 - HKLM\..\Run: [atltq.exe] C:\WINDOWS\system32\atltq.exe
O4 - HKLM\..\Run: [appwr.exe] C:\WINDOWS\system32\appwr.exe
O4 - HKLM\..\Run: [ipfj32.exe] C:\WINDOWS\ipfj32.exe
O4 - HKLM\..\Run: [sdkrn.exe] C:\WINDOWS\system32\sdkrn.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINDOWS\system32\intell32.exe
O4 - HKCU\..\Run: [StartPage] C:\Documents and Settings\Danny\rundll32.exe
O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://1040.justacou...1/deaAU1040.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab

Delete these if found:

C:\c.vbs
C:\cmdexe.hta
C:\WINDOWS\olecom32.exe
C:\WINDOWS\system32\apiwl32.exe
C:\WINDOWS\system32\apijw.exe
C:\WINDOWS\system32\sdkzg.exe
C:\WINDOWS\system32\winkq32.exe
C:\WINDOWS\system32\atltq.exe
C:\WINDOWS\system32\appwr.exe
C:\WINDOWS\ipfj32.exe
C:\WINDOWS\system32\sdkrn.exe
C:\Program Files\PSGuard\
C:\WINDOWS\system32\intell32.exe
C:\Documents and Settings\Danny\rundll32.exe
c:\explorer.cab

Run the smitRem.exe tool you downloaded earlier. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop (or Appearance)->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft.../activescan.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log.

Then post the Panda log here along with the logs for HijackThis, smitfiles.txt and Ewido.
  • 0

#5
piouhvgfbh
Posted 18 September 2005 - 12:11 AM

piouhvgfbh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Here are the logs you asked for. I did the scan at the panda site but I couldn't find any 'autoclean' box you refered to.


Logfile of HijackThis v1.99.1
Scan saved at 2:55:10 PM, on 18/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Danny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dsl.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\RunOnce: [delfile] C:\delfiles.cmd
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109812503776
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference... to Spanish.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

smitRem log file
version 2.3

by noahdfear

The current date is: Sun 18/09/2005
The current time is: 14:59:32.01

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :tazz:


~~~~ Looking for C:\WINDOWS\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINDOWS\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll not present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINDOWS\system32\wininet.dll for infection ~~~~


~~~~ C:\WINDOWS\system32\wininet.dll Clean! :) ~~~~


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:29:29 PM, 18/09/2005
+ Report-Checksum: 21A24F4B

+ Scan result:

No infected objects found.


::Report End

PANDA REPORT
Incident Status Location

Adware:adware/popuper No disinfected C:\c.vbs
Virus:JS/Psyme.gen Renamed C:\cmdexe_hta.vir
  • 0

#6
greyknight17
Posted 18 September 2005 - 07:15 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Check and fix this in HijackThis:

O4 - HKLM\..\RunOnce: [delfile] C:\delfiles.cmd

Delete these if found:

C:\c.vbs
C:\cmdexe_hta.vir

Restart and run another Panda scan. Post that Panda log here along with a new HijackThis log.
  • 0

#7
piouhvgfbh
Posted 18 September 2005 - 11:59 PM

piouhvgfbh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
here are the logs for hijack this and panda

Logfile of HijackThis v1.99.1
Scan saved at 1:41:19 PM, on 19/09/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Danny\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dsl.optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: InterVideo WinScheduler.lnk = C:\Program Files\InterVideo\WinDVR\WinScheduler.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: =>&Español - http:\\wordreference.com\es\j\iees69.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://dsl.optusnet.com.au/
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1109812503776
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AD08A333-609E-11D3-950C-008098601567} - http://wordreference... to Spanish.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Panda Report
Incident Status Location

Adware:adware/popuper No disinfected C:\c.vbs
Virus:JS/Psyme.gen Renamed C:\cmdexe_hta.vir
  • 0

#8
greyknight17
Posted 19 September 2005 - 04:53 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\c.vbs
C:\cmdexe_hta.vir

If you get a PendingOperations message, just cancel it and restart manually.

Run Panda scan. Does those two entries return? If not:

Your log is clean.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#9
piouhvgfbh
Posted 21 September 2005 - 01:08 AM

piouhvgfbh

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
The panda log now is clean. Thanx for the help everything seems to be running correctly now.
  • 0

#10
greyknight17
Posted 21 September 2005 - 04:41 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP