[HBiz]

Please, I am in dire need here.
A few weeks ago I purchased a brand new Dell Latitude D610 notebook. It has been running beautifully, outperforming all of my desktops here (at my business). It has been operating for these weeks behind a well engineered internet gateway, but with no virus or spyware protection. I just never got around to it. I will NEVER make that mistake again. I took it home the other day and literally minutes after connecting to the internet (via plugging in "bareback" to the cable modem) it was so horribly attacked that I could not even get to ANY URL in Internet Explorer (everything was redirected).

Okay, so here is what I did...

I followed my very first instinct and ended all suspect processes (things that were very obvious).
This got me to the point where I could get to the symantec homepage. I purchased a copy of Norton Antivirus 2006 and installed / ran it. Got rid of some things, but still MAJORLY infected...
So i came to this forum and followed the suggested methods.
Here is what I did after viewing this forum:

Downloaded and ran the following:
Cleanup
Ad-Aware
CWShredder
Spybot S&D
Hijackthis

And now I am stuck! I have a toolbar on my desktop that WILL NOT GO AWAY no matter what I do. It is a series of hideous icons on the right side of my desktop that advertise gambling, dating, pharmacy, xxx, insurance, and other things. When you even HOVER the mouse over them they show a "loading" menu followed by a series of links. It is actually quite a clever little contraption and I would almost have to admire the creativity if it wasn't a vicious attack on my PC. Also, I have noticed a marked difference in performance. My pc is very much slower now and I am not sure if it is because of NAV, or all the spy/ad ware still present.

I really need help as this is my work computer for my business. Please. I would be very grateful for any assistance.

One more note, before I post my hijackthis log, when I ran CWShredder, the "scan only" finds the file CWS.Msconfd but when I run it to "Fix" my computer blue-screens with a fatal error.
I am begging here....please help

Okay, here is my Hijackthis log as of right this second:

Logfile of HijackThis v1.99.1
Scan saved at 1:48:16 PM, on 12/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Logfile of HijackThis v1.99.1
Scan saved at 1:04:18 PM, on 12/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ADP\CollectAll\ADPSchedule.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\*MyName*\Desktop\Security\hijack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADP Scheduler] C:\Program Files\ADP\CollectAll\ADPSchedule.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134414801906
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Thanks in advance to anyone who can help me!!!!!

Edited to add - I also just noticed that my browser gets redirected randomly to various sites including a "click verifier" and all sorts of others. When clicking on unrelated links in google. I even had one click in a google search that redirected me to ebay with my google search already input into the ebay search field! Since first posting this 2 days ago, I have run spybot s&d, ad-aware, norton antivirus, cleanup, and CWShredder all in various combinations with no success. I still have the toolbar at windows start and malware is STILL being found in all of the aforementioned programs. CWShredder STILL blue-screens when trying to fix files as well.

Here is a picture of what the toolbar on my desktop looks like: Link to Screenshot
I took the picture while hovering the mouse over the "dating" icon.
When I hit the "close" button it closes, but reappears every time I start Windows.

I re-posted the HJT log, too.

Is it difficult and is it advisable to wipe clean and re-install windows? I really haven't used this pc much and every document I have can be backed up onto 1 CD. Is this something I can do?

Please, even if you do not have the time to give me a full response, at least can someone tell me what other avenues I can venture down? I have a rep from a payroll company coming in tomorrow to install and train me on an automated timeclock system using this computer and I don't want pornographic popups or toolbars getting in the way.

Edited by HBiz, 16 December 2005 - 12:05 PM.

[Advertisements]

Been 3 days. I really need help so if anyone has any suggestions that I have not yet tried, it would be very appreciated.

Thanks!!!

[HBiz]

Been 3 days. I really need help so if anyone has any suggestions that I have not yet tried, it would be very appreciated.

Thanks!!!

[Buckeye_Sam]

Hi and welcome to GeeksToGo! My name is Sam and I will be helping you.
I apologize for the delay getting to your log, the helpers here are very busy.


Please download Ewido Security Suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
http://www.ewido.net...wnload/updates/

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• While the scan is in progress you will be prompted to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Now close ewido security suite.


Reboot your computer and post a new hijackthis log and the log from Ewido.

[HBiz]

Thank you so much for taking the time to help.
When I ran ewido, it finished doing its thing and then a Norton Antivirus window popped up telling me that I had a virus (I should have written down the name, but it was something like "hwiper.exe"). It said that the file could not be repaired. Every time I closed the Norton window it popped back up. This happened until I saved a Ewido log and closed Ewido.

Here is the log from Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:46:06 PM, 12/18/2005
+ Report-Checksum: B11C69BB

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
[800] VM_023B0000 -> Downloader.Agent.uj : Error during cleaning
[824] VM_00DB0000 -> Downloader.Agent.uj : Error during cleaning
[1996] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning
[2800] VM_00390000 -> Downloader.Agent.uj : Error during cleaning
[2808] VM_003C0000 -> Downloader.Agent.uj : Error during cleaning
[2840] VM_008B0000 -> Downloader.Agent.uj : Error during cleaning
[2924] VM_003A0000 -> Downloader.Agent.uj : Error during cleaning
[2988] VM_00CC0000 -> Downloader.Agent.uj : Error during cleaning
[3020] VM_009E0000 -> Downloader.Agent.uj : Error during cleaning
[3056] VM_00890000 -> Downloader.Agent.uj : Error during cleaning
[3104] VM_00890000 -> Downloader.Agent.uj : Error during cleaning
[3400] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning
C:\Documents and Settings\*my name*\Cookies\*my name*@7search[2].txt -> Spyware.Cookie.7search : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@ehg-comcast.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@media.fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@statse.webtrendslive[1].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\*my name*\Cookies\*my name*@z1.adserver[2].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0006438.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0006454.pif:arkmj -> Downloader.Agent.td : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0006466.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0007466.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007558.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007570.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007588.exe -> Hijacker.Small : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007590.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000141.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000160.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000172.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000185.exe -> Downloader.Small.buy : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000186.exe -> Downloader.Small.buy : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000187.exe -> Downloader.Small.buy : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0000188.exe -> Downloader.Agent.sy : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0001171.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001187.exe -> Backdoor.Small : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001194.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001203.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0002203.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0003203.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0003438.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004438.exe -> Downloader.Agent.uj : Cleaned with backup
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0005438.exe -> Downloader.Agent.uj : Cleaned with backup
C:\WINDOWS\system32\ldr125.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr312.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr448.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr459.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\ldr661.dll -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\msupdate32.dll -> Downloader.Agent.abe : Cleaned with backup
C:\WINDOWS\system32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\system32\run635.exe -> Downloader.Small.cat : Cleaned with backup
C:\WINDOWS\system32\SetupCarnival.exe -> Adware.Casino : Cleaned with backup
C:\WINDOWS\system32\sywsvcs.exe -> Backdoor.Small : Cleaned with backup
C:\WINDOWS\system32\upd880.exe -> Dropper.Agent.ii : Cleaned with backup


::Report End


and here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:54:01 PM, on 12/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ADP\CollectAll\ADPSchedule.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_05\bin\jucheck.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\*my name*\Desktop\Security\hijack this\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ADP Scheduler] C:\Program Files\ADP\CollectAll\ADPSchedule.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1134414801906
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

The toolbar did not re-appear on startup after running Ewido. Please take a look and see if there is anything else I need to be concerned with. The PC still seems to be acting weird....but nothing I can't live with if you give me the "all clear" based on the above. Thanks again for taking the time to read through.

[Buckeye_Sam]

Your log looks pretty good, but I'm concerned that there may be malware still on your computer.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

[HBiz]

I am still finding that some clicks are getting redirected in IE and norton Antiviruse pops up with a virus threat quite often now. I am confident that there is still a fair amount of malware on this computer. Thanks for you continued help in this matter.

Here is my Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, December 20, 2005 18:04:40
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/12/2005
Kaspersky Anti-Virus database records: 156353
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 33679
Number of viruses found: 21
Number of infected objects: 75
Number of suspicious objects: 0
Duration of the scan process: 2248 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A3A40CE.exe Infected: Backdoor.Win32.Padodor.ax
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18840393.exe Infected: Trojan-Downloader.Win32.Small.buy
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\18BF7752.exe Infected: Trojan-Downloader.Win32.Agent.sy
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1AB60968.exe Infected: Trojan.Win32.Small.gq
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\29E24BDC.exe Infected: Trojan.Win32.Favadd.an
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2AF966FE.exe Infected: Trojan.Win32.Agent.bi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2B891E5F.exe Infected: Trojan-Downloader.Win32.IstBar.nl
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2B931C55.exe Infected: Trojan-Clicker.Win32.Spywad.l
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2C67456B.exe Infected: Trojan.Win32.Agent.bi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2DBA53F5.tmp Infected: Trojan-Clicker.Win32.Spywad.l
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2DC127EE.exe Infected: Trojan-Dropper.Win32.Agent.abu
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2E0F1798.exe Infected: Trojan-Dropper.Win32.Agent.abu
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39047989.avi Infected: Trojan.Win32.Agent.bi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39047989.INI Infected: Trojan-Downloader.Win32.WinShow.bg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39082385.bmp Infected: Trojan-Downloader.Win32.WinShow.bg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\39E64A91.bmp Infected: Trojan-Downloader.Win32.WinShow.bg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3B4A2B09.log Infected: Trojan.Win32.Agent.bi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BD06476.qfn Infected: Trojan-Downloader.Win32.WinShow.bg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BD6386F.del Infected: Trojan-Downloader.Win32.WinShow.bg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BD9626B.log Infected: Trojan.Win32.Agent.bi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BE03664.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BE36060.dll Infected: Backdoor.Win32.Padodor.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BE60A5D.exe Infected: Trojan.Win32.Agent.bi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3BEA3459.exe Infected: Trojan.Win32.Agent.bi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CB70977.exe Infected: Packed.Win32.Klone.b
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CC53169.dll Infected: Trojan-Downloader.Win32.WinShow.bg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3CDF014C.exe Infected: Trojan.Win32.Inject.i
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3D2A46F9.exe Infected: Backdoor.Win32.Padodor.ax
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3E1515F6.bmp Infected: Trojan.Win32.Agent.bi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3E1B69EF.log Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3E1B69EF.pif Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\429E205E.pif Infected: Trojan.Win32.Agent.bi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\446E575D.pif Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4E550814.dll Infected: Trojan-Downloader.Win32.WinShow.bg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54254F63.exe Infected: Trojan-Downloader.Win32.Agent.sy
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5FCB1A45.bmp Infected: Trojan-Downloader.Win32.WinShow.bg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\600371BB.exe Infected: Backdoor.Win32.Agent.rw
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7E2B1AD9.dat Infected: Trojan-Downloader.Win32.Small.buy
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\7EA5795E.pif Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000002.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1\A0000003.exe Infected: Trojan.Win32.DNSChanger.am
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0006444.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0006457.INI:gyntur:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0006472.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP10\A0007472.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007566.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007576.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007596.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007600.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007601.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007602.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007603.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007604.dll Infected: Trojan-Downloader.Win32.Small.cat
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007605.dll Infected: Trojan-Downloader.Win32.Agent.abe
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007606.dll Infected: Trojan.Win32.Small.ev
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007607.exe Infected: Trojan-Downloader.Win32.Small.cat
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007609.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP13\A0007610.exe Infected: Trojan-Dropper.Win32.Small.zp
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP15\A0007617.exe Infected: Trojan.Win32.Favadd.an
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP15\A0007625.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP16\A0007635.exe Infected: Trojan.Win32.Small.gq
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000147.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000148.exe Infected: Trojan.Win32.DNSChanger.am
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000166.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP4\A0000178.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP5\A0001177.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001190.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001201.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0001209.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0002209.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP6\A0003209.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP7\A0003444.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0003526.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0004446.exe Infected: Trojan-Downloader.Win32.Small.bwx
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP8\A0005444.exe Infected: Trojan-Downloader.Win32.Small.bwx

Scan process completed.

Any further assistance you can provide is MUCH appreciated

[Buckeye_Sam]

Kaspersky doesn't show any active malware. Let's get rid of everything that it did find though.

First open up Norton and permanently delete all quarantined files.

Then flush your system restore, this will delete any restore points that you have but it will also make sure that any malware hiding in system restore will be booted off.

Turn off System Restore:

• On the Desktop, right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore.
• Click Apply, and then click OK.

Restart your computer, turn it back on and create a restore point.

Create a restore point:

• Click Start and point to All Programs.
• Mouse over Accessories, then System Tools, and select System Restore.
• In the System Restore wizard, select the box next the text labeled "Create a
  restore point" and click the Next button.
• Type a description for your new restore point. Something like "After
  cleanup". Click Create and you're done.

Now let's see if we can turn up anything else.

Download and save backlight to your desktop. Doubleclick blbeta.exe, accept the agreement, leave [X]scan through Windows Explorer checked, click scan > next.

You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.



Also, is there a log from Norton that you can post so I can see what it is finding?

[HBiz]

I think that after running through the spy/adware removers and following your advice, i have removed most all of the malware on this pc. I really really really really appreciate all the help. This board provides a great service and you should all be commended for so selfishly helping others. Its nice to know that there are still "nice" places on the internet!

Anyway, here is the blacklight log, let me know if anything strikes you as odd.

12/22/05 13:37:54 [Info]: BlackLight Engine 1.0.30 initialized
12/22/05 13:37:54 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/22/05 13:37:55 [Note]: 7019 4
12/22/05 13:37:55 [Note]: 7005 0
12/22/05 13:37:58 [Note]: 7006 0
12/22/05 13:37:58 [Note]: 7011 1620
12/22/05 13:37:59 [Note]: FSRAW library version 1.7.1014
12/22/05 13:38:20 [Info]: Hidden file: C:\WINDOWS\system32\wbem\wbemtest.exe
12/22/05 13:38:20 [Note]: 10002 1
12/22/05 13:38:23 [Info]: Hidden file: C:\WINDOWS\system32\cscte.exe
12/22/05 13:38:23 [Note]: 7002 32
12/22/05 13:38:23 [Note]: 7003 1
12/22/05 13:38:23 [Note]: 10002 1
12/22/05 13:38:23 [Info]: Hidden file: C:\WINDOWS\system32\dmumb.exe
12/22/05 13:38:23 [Note]: 7002 32
12/22/05 13:38:23 [Note]: 7003 1
12/22/05 13:38:23 [Note]: 10002 1
12/22/05 14:14:36 [Note]: 7007 0

Thanks!!!!

oh...1 more thing...Happy Holidays!

[Buckeye_Sam]

Actually the Blacklight tool does show a couple of files that are malicious.

Select these items in blacklite and choose rename:

C:\WINDOWS\system32\cscte.exe
C:\WINDOWS\system32\dmumb.exe


The tool will ask if you want to reboot (restart) choose yes.


After you reboot you should be able to view these files, except they will be renamed as follows.

C:\WINDOWS\system32\cscte.exe.ren
C:\WINDOWS\system32\dmumb.exe.ren


Now let's see if we can find out anything specific about them.

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
  
  
  • C:\WINDOWS\system32\cscte.exe.ren
• Disable your firewall if you are using one.
• Click on the submit button
• Reenable your firewall as soon as you get results.
• Please post the results in your next reply.

Do the same with C:\WINDOWS\system32\dmumb.exe.ren


Happy Holidays to you as well!

[HBiz]

Rats...just when I thought I was in the clear...

Results for C:\WINDOWS\system32\cscte.exe.ren
----------------------------------------------------------

Service load: 0% 100%

File: cscte.exe.ren
Status: INFECTED/MALWARE
MD5 1329e8e8a7ba5a26b1084981bbe8c059
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.FFZ
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Small.FB
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Agent.33 (probable variant)


Results for C:\WINDOWS\system32\dmumb.exe.ren
------------------------------------------------------------
Service load: 0% 100%

File: dmumb.exe.ren
Status: INFECTED/MALWARE
MD5 f05150864b4b336687a9dfa56a11023f
Packers detected: -
Scanner results
AntiVir Found Trojan/Dldr.Small.bwx
ArcaVir Found Trojan.Downloader.Small.Bwx
Avast Found Win32:Small-CB
AVG Antivirus Found Agent.EX
BitDefender Found Trojan.Downloader.Small.BWX
ClamAV Found nothing
Dr.Web Found Trojan.Iespy
F-Prot Antivirus Found nothing
Fortinet Found W32/Small.BWX-tr
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Small.bwx
NOD32 Found Win32/Small.FB
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found Trojan-Downloader.Win32.Small.bwx


Now what? Man....the internet is a very dirty place to venture unprotected....

[Buckeye_Sam]

Go ahead and delete those two files and run Blacklight again. Post the log and we'll see if anything else shows up.

Are you still getting redirected?

[HBiz]

No more redirects, no more toolbars, no more unremovable programs in add/remove programs, no more sluggish pc. YOU ROCK!!! Blacklite turns up nothing!

Thank you so much for your help! I really think it is all gone now.

I truly appreciate it. I never knew how bad it was to connect unprotected to the internet, even for a short time.

So you think I am clean and in the clear? It sure feels like it....!

Edited by HBiz, 23 December 2005 - 04:53 PM.

[Buckeye_Sam]

The way you describe things, I'd say you are clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.
  
  You can find instructions on how to enable and reenable system restore here:
  
  Managing Windows Millenium System Restore
  
  or
  
  Windows XP System Restore Guide
  
  Renable system restore with instructions from tutorial above
  
  
• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
    
    • Change the Download signed ActiveX controls to Prompt
    • Change the Download unsigned ActiveX controls to Disable
    • Change the Initialize and script ActiveX controls not marked as safe to Disable
    • Change the Installation of desktop items to Prompt
    • Change the Launching programs and files in an IFRAME to Prompt
    • Change the Navigate sub-frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online & their stand-alone antivirus programs:
  
  Virus, Spyware, and Malware Protection and Removal Resources
  
  
• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
  
  A tutorial on installing & using this product can be found here:
  
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.