1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Trojan Attack

Discussion in 'Virus & Other Malware Removal' started by Schypha, Jan 21, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. Schypha

    Schypha Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    11
    The last 28 hours have been nightmare. At 2:30 yesteday morning Norton started popping up warnings for Trojan.Startpage, Trojan.Dropper, Download.Trojan and within about 20 minutes my system starting shooting out low virtual memory errors then locked up. When I logged back on I immediately updated my virus definitions and started a scan. In the meantime, I noticed that when I started Internet Explorer the entire system came to a crawl and at one point I noted that something was downloading. I then ran spybot and adware and was shocked to see that there was almost 100 entries that needed to be removed. I spent the next ten hours manually removing all the files that the software couldn't delete, then reran the scans to make sure I had gotten everything. I then rebooted and noted that as soon as I started IE, the entire process started again. Tons of spyware apps like elitemediapop, InstallBar, (It kept bringing up the internet connection wizard)Internet optimizer,mediaticketinstaller, web enhancer (webdll.dll), newdotnet7, drsmartdownload, and many other programs had reinstalled themselves. By this time I was in a state of panic. I ran down to Staples and bought a copy of Spy Sweeper because I had lost the ability to log onto the Internet with IE. The Sweeper software helped by allowing me to once again clean the system and to prevent anything else from installing itself. By 10:00 lastnight I had run Norton again and spybot and the only thing showing was the following in spybot:

    Windows Security Center.Update Disable Notify
    Windows Security Center.Antivirus Disable Notify
    Windows Security Center.Antivirus override
    Windows Security Center.Firewall Disable Notify
    WinWindows Security Center.SP2U Update

    I allowed Spybot to fix the registry keys, rebooted and checked again and was appalled to find that they had been disabled once more.

    I'm at the point where I just don't know what to do. I have not slept since this happened and I can't figure out what the root of the issue is. I read some of the posts in the forum and have run a Kapersky scan. It detected the following viruses:

    Backdoor.win32.sdbot.all (scvhost.exe)
    Trojan_spy.win32.vbeh (cijdb.exe)
    Trojan.dropper.win32.vb.am (sys32.exe)

    I can't find any decent info out there on how to remove these (Norton is no help at all). Also, I'm a little afraid as some the above look like actual system files.

    Something is getting kicked off when I hook to the Internet and then proliferates the system with with more spyware and viruses.

    I also ran HiJack and the results are below and I downloaded Cleanup but am waiting to see what any of you folks think I should do next. Any help would be greatly appreciated.


    Logfile of HijackThis v1.99.1
    Scan saved at 3:28:29 AM, on 1/21/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\scvhost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINNT\Logi_MwX.Exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscom.net/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscom.net/index.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.suscom.net/index.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4FD00B48-EFF2-990B-F36F-9C2B559EDFCC} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
    O16 - DPF: DigiChat Applet - http://host6.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://webapps.cvty.com/Citrix/ICAWEB/en/ica32/wficat.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINNT\scvhost.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Tools\Analyzer\varpc.exe (file missing)
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.


    what is the location of those viruses, where exactly does it say they are?



    Disable spysweeper.

    Before you proceed with the removal directions below you need to turn off SpySweeper's realtime protection as it will interfere with the changes we are trying to make.

    Open Spysweeper and click on Options > Program Options.
    Uncheck "load at windows startup".
    On the left click "shields" and then uncheck everything there.
    Uncheck "home page shield".
    Uncheck "automatically restore default without notification".
    Exit the program.
    Leave it disabled until we are finished here.


    Download the pocket killbox
    http://www.bleepingcomputer.com/files/killbox.php



    * Download the trial version of Ewido Security Suite here


    http://www.ewido.net/en/

    * Install ewido.
    * During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    * Launch ewido
    * It will prompt you to update click the OK button and it will go to the main screen
    * On the left side of the main screen click update
    * Click on Start and let it update.
    * DO NOT run a scan yet. You will do that later in safe mode.



    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {4FD00B48-EFF2-990B-F36F-9C2B559EDFCC} - (no file)
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab



    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
    In the Full Path of File to Delete box, copy and paste each of the following
    lines one at a time then click on the button that has the red circle with the
    X in the middle after you enter each file. It will ask for confirmation to
    delete the file. Click Yes. Continue with that same procedure until you have
    copied and pasted all of these in the Paste Full Path of File to Delete box.



    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.


    C:\WINNT\scvhost.exe


    * Run Ewido:

    * Click on scanner
    * Click Complete System Scan and the scan will begin.
    * During the scan it will prompt you to clean files, click OK
    * When the scan is finished, look at the bottom of the screen and click the Save report button.
    * Save the report to your desktop



    to clean out the Temp folders!


    When in Safe Mode, open notepad and paste in the following lines:

    del c:\ *.tmp
    del %temp%\*.tmp /f
    del %windir%\prefetch\*.*
    del %windir%\temp\*.* /f
    del C:\documents and settings\*\local settings\temp\*.* /f

    Save to your desktop as 'clean.bat'...Before you save,set 'file types' to
    all types. ( *.*)

    DoubleClick on "clean.bat", and say Yes to the prompt.


    reboot to normal mode and run a few online scans!


    Run an online antivirus check from

    http://www.kaspersky.com/virusscanner

    choose extended database for the scan!



    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!


    post another hijack this log, the ewido and active scan logs
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Unfortunately Kazars advice won't fully fix this one as it has a few deeply hooked files

    this slghtly altered advice has worked in other cases

    start with download & run aimfix from
    http://www.jayloden.com/aimfix.htm

    then
    go to start/run and type services.msc press OK
    when the screen opens scroll down to Local Security Authority Subsystem Service right click and select properties and then on that page press stop service and then set the start up type to disabled, press ok a few times to get back to windows

    be very careful to get the right one as there are several similar named ones there

    repeat for
    Network Monitor

    now open HJT press config/misc tools and select delete an NT service

    paste this into the box & press OK

    lsass

    repeat for
    Network Monitor

    then

    Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily


    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe


    now Start killbox, go to options on the top bar and make sure remove directories is enabled and remove duplicates is UNCHECKED paste the first file listed below into the full pathname and file to delete box

    The file name will appear in the window, select delete on reboot , press the red X button, say yes to the prompt and NOto reboot now then repeat for each file in turn

    [Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

    C:\WINDOWS\scvhost.exe
    C:\Program Files\Network Monitor\netmon.exe


    Then on killbox top bar press tools/delete temp files, in the pop up box in the NT section select temp & temp internet & cookies only and in the 9x section select c:\windows\temp & c:\temp then on the drop down user account box, select your account, then repeat for every user account on the computer

    then reboot & post a new HJT log
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    cheers derek, i missed that!
     
  5. Schypha

    Schypha Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    11
    Local Security Authority Subsystem Service does not exist in the services windows but network monitor does. Could it be named something else?

    Also -- here is where the infected files reside:

    Backdoor.win32.sdbot.all (C:/WINNT/scvhost.exe)
    Trojan_spy.win32.vbeh (C:/WINNT/sys32/cijdb.exe)
    Trojan.dropper.win32.vb.am (C:/WINNT/sys32/sys32.exe)
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    ok, carry out my instructions and run the instructions Derek gave you, just combine the two of them.

    put all these through the killbox, some may be missing after running Derek's fix! Just do what you can and post all the logs!


    C:/WINNT/scvhost.exe
    C:/WINNT/sys32/cijdb.exe
    C:/WINNT/sys32/sys32.exe
     
  7. Schypha

    Schypha Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    11
    Does that mean to just skip the Local Security Authority Subsystem Service and do Network Monitor? It's not security accounts manager is it (Stores security info for local user accounts)?
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    No according to the HJT log the name of the service is
    Local Security Authority Subsystem Service

    if you can't find it skip that stage BUT I think you might find that it still appears in the HJT log when you reboot

    if it does we have otherways of dealing with it

    Normally aimfix should get this one though
     
  9. Schypha

    Schypha Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    11
    ok -- here is what I did.

    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {4FD00B48-EFF2-990B-F36F-9C2B559EDFCC} - (no file)
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
    O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-secure.com/ols/fscax.cab


    Then put this through pillbox: C:\WINNT\scvhost.exe

    Then cleaned out the temp folders by creating and running the "clean.bat' file.

    I then ran the AIM.fix and generated the following log:
    ***ANY VIRUS FILES REMOVED WILL BE LISTED BELOW***

    C:\WINNT\system32\internat.exe found, attempting to remove...
    C:\WINNT\system32\internat.exe quarantined
    RegReadValue() for HKCU\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Misc\BaseDataPath failed on RegQueryValueEx(): The system cannot find the file specified.

    Profile for bballerky12 edited to remove possible virus code.
    Profile for clintxoxluver edited to remove possible virus code.
    Profile for crzysoccerchic10 edited to remove possible virus code.
    Profile for greenmonk8881 edited to remove possible virus code.
    Profile for inlovewidchu69 edited to remove possible virus code.
    Profile for lilchumy18 edited to remove possible virus code.
    Profile for litlalixoxo edited to remove possible virus code.
    Profile for ooonlyonceoo edited to remove possible virus code.
    Profile for rkochamp619 edited to remove possible virus code.
    Profile for skankyxxxhoe6 edited to remove possible virus code.
    Profile for snikerzluver22 edited to remove possible virus code.
    Profile for xx2hot4u21xx edited to remove possible virus code.
    Profile for xxcrazibrunette3 edited to remove possible virus code.

    ***RUN COMPLETED. ANY FILES REMOVED LISTED ABOVE***
    ----------------------------------------------------------



    Note: I could not locate Local Security Authority Subsystem Service and Network monitor services were already in the stop position. But I set "disable the monitor to start up type to disabled". Then I opened HJT pressed config/misc tools and select delete an NT service for the Network monitor.


    I then ran these through Hijack:
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe


    Then ran these through pillbox and was told they did not exist:
    C:\WINDOWS\scvhost.exe
    C:\Program Files\Network Monitor\netmon.exe


    Then deleted the temp files using pillbox.

    Then Ran Ewido:
    + Created on: 9:59:26 AM, 1/21/2006
    + Report-Checksum: 143F6444

    + Scan result:

    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Adition : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Adition : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\administrator\Cookies\[email protected][2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\administrator\Desktop\aimfix_quarantine\2266_scvhost.exe.bak -> Backdoor.SdBot.all : Error during cleaning
    C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\CH2VC9Q3\mm[2].js -> Spyware.Chitika : Cleaned with backup
    C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Content.IE5\UF4RM3Q9\mm[2].js -> Spyware.Chitika : Cleaned with backup
    C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KD6J812R\drsmartload_js[1].htm -> Downloader.IstBar.j : Error during cleaning
    C:\Program Files\Spybot - Search & Destroy\wtwebdriver\files\3.2.0.007\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
    C:\Program Files\Spybot - Search & Destroy\wtwebdriver\files\3.2.0.007\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
    C:\RECYCLER\S-1-5-21-220523388-507921405-1957994488-500\Dc402\2266_scvhost.exe.bak -> Backdoor.SdBot.all : Cleaned with backup
    C:\WINNT\msapps\KILL.EXE -> Not-A-Virus.NetTool.Win32.PsKill : Cleaned with backup
    C:\WINNT\mtuninst.exe -> Adware.MediaTickets : Cleaned with backup
    C:\WINNT\system32\c_ijdb.exe -> Logger.VB.eh : Cleaned with backup
    C:\WINNT\system32\drivers\services.exe -> Not-A-Virus.NetTool.Win32.FScan.114 : Cleaned with backup
    C:\WINNT\system32\samdump.dll -> Not-A-Virus.PSWTool.Win32.PWDump2 : Cleaned with backup[/COLOR]+

    Then ran Kaspersky again and found 3 viruses:
    KASPERSKY ON-LINE SCANNER REPORT
    Saturday, January 21, 2006 13:57:54
    Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
    Kaspersky On-line Scanner version: 5.0.67.0
    Kaspersky Anti-Virus database last update: 21/01/2006
    Kaspersky Anti-Virus database records: 172270
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\

    Scan Statistics:
    Total number of scanned objects: 85475
    Number of viruses found: 3
    Number of infected objects: 3
    Number of suspicious objects: 0
    Duration of the scan process: 6561 sec

    Infected Object Name - Virus Name
    C:\WINNT\msapps\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13
    C:\WINNT\rundll.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.24
    C:\WINNT\system32\syst32.exe Infected: Trojan-Dropper.Win32.VB.am


    Is it sage to run the remianing viruses through pillbox or just manually remove them?

    Here is the latest Hijack Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:23:45 PM, on 1/21/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINNT\Logi_MwX.Exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\administrator\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscom.net/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscom.net/index.php
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.suscom.net/index.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
    O16 - DPF: DigiChat Applet - http://host6.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://webapps.cvty.com/Citrix/ICAWEB/en/ica32/wficat.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Tools\Analyzer\varpc.exe (file missing)

    One final note -- I have not run the panda software yet and I have noticed a strange issue now during the start up process. It seems to load in the task bar and srart button before any of my desktop items appear and it seems to hesitate for about 45 before it loads the items.
     
  10. Schypha

    Schypha Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    11
    Note --- I also ran the following and was told they did not exist:

    Run hijackthis, put a tick in the box beside these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
    O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
     
  11. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    * Click here for info on how to boot to safe mode if you don't already know
    how.

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



    * Now copy these instructions to notepad and save them to your desktop. You
    will need them to refer to in safe mode.


    * Restart your computer into safe mode now. Perform the following steps in
    safe mode:



    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
    In the Full Path of File to Delete box, copy and paste each of the following
    lines one at a time then click on the button that has the red circle with the
    X in the middle after you enter each file. It will ask for confirmation to
    delete the file. Click Yes. Continue with that same procedure until you have
    copied and pasted all of these in the Paste Full Path of File to Delete box.



    Note: It is possible that Killbox will tell you that one or more files do not
    exist. If that happens, just continue on with all the files. Be sure you
    don't miss any.


    C:\WINNT\msapps\psexec.exe
    C:\WINNT\rundll.exe
    C:\WINNT\system32\syst32.exe


    reboot back to normal mode and run these tools!



    go to this site and download these tools and once you get both
    adaware Se 1.6 and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk
    entries". Click next to start the scan. Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the
    immunize button.

    reboot again


    With CWshredder close all browsers and programmes and select the FIX button.



    Go here and download Microsoft Antispyware Beta. First in the top menu click
    File then Check for updates to download the definitons updates.

    After updating look in the right side of the main window under "Run Quick
    Scan Now" and click Spyware scan options. In that window put a tick by Run a
    full system scan and then put a check by all three options below that then
    click Run Scan now.

    When the scan is finished, let it fix anything that it finds (have it
    quarantine the items that have that option rather than delete just in case.
    It is a beta program and there may be false positives)

    Restart your computer.


    All tools can be downloaded at the link below and found on that page!


    . Microsoft® Windows AntiSpyware
    . Trend micro CWShredder
    . SpyBot search and destroy
    . AdAware SE personal


    http://www.majorgeeks.com/downloads31.html




    Run ActiveScan online virus scan here

    http://www.pandasoftware.com/products/activescan.htm

    When the scan is finished, anything that it cannot clean have it delete it.
    Make a note of the file location of anything that cannot be deleted so you
    can delete it yourself.
    - Save the results from the scan!



    post another hijack this log and the active scan logs
     
  12. Schypha

    Schypha Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    11
    I'm sorry Khazars -- I've had a very long day. Exactly what am am I fixing with the below notation? Must I do something specific within Hijack to show these files? (C:\WINNT\msapps\psexec.exe
    C:\WINNT\rundll.exe
    C:\WINNT\system32\syst32.exe )


    have hijack this fix these entries. close all browsers and programmes before
    clicking FIX.
     
  13. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    sorry, i meant to edit it out as there isn't anything to fix with hijack this!
     
  14. Schypha

    Schypha Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    11
    It's ok --- Your having a long day as well!
     
  15. Schypha

    Schypha Thread Starter

    Joined:
    Jan 21, 2006
    Messages:
    11
    Wow -- Almost 48 hours later and I'm starting to feel better :0)

    I followed all the instructions above and continued to find scattered fallout that I either left the software remove or I manually removed.
    Below you will find the most updated log files.

    I have a few questions that maybe someone can answer for me. I suspect that during all this removal I may have corrupted some entries in my registry. When my pc boots up it now brings up the quick start task bar items and start button before anything displays on my desktop (I see only the screensaver), it then takes a full minute for my folders and shortcuts to appear. Is there a good tool out there that will help me to fix the registry?

    Also -- the below reg keys have been repaired so many times over the past 2 days that I want to make sure that the default value is really supposed to be set to "0"
    Windows Security Center.Update Disable Notify
    Windows Security Center.Antivirus Disable Notify
    Windows Security Center.Antivirus override
    Windows Security Center.Firewall Disable Notify
    WinWindows Security Center.SP2U Update


    One last thing -- IE still seems a little hesitant and slow. I think I may have injured it while manually removing things from the registry. Is there a way to a quick repair on it?

    Logfile of HijackThis v1.99.1
    Scan saved at 12:38:58 AM, on 1/22/2006
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\CTsvcCDA.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINNT\system32\nvsvc32.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\inetsrv\inetinfo.exe
    C:\WINNT\system32\devldr32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINNT\Logi_MwX.Exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe
    C:\WINNT\system32\RUNDLL32.EXE
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\PROGRA~1\Webshots\webshots.scr
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINNT\system32\NOTEPAD.EXE
    C:\Documents and Settings\administrator\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscom.net/index.php
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.suscom.net/index.php
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.suscom.net/index.php
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe
    O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\program files\partypoker\IEExtension.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: ChatSpace Full Java Client 4.0.0.301 - http://63.102.226.240:8000/Java/cfs40301.cab
    O16 - DPF: DigiChat Applet - http://host6.digichat.com/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://webapps.cvty.com/Citrix/ICAWEB/en/ica32/wficat.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
    O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
    O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\PROGRA~1\CISCOS~1\VPNCLI~1\cvpnd.exe
    O23 - Service: Visual Studio Debugger Proxy Service (DbgProxy) - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Packages\Debugger\dbgproxy.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: Visual Studio Analyzer RPC bridge - Unknown owner - C:\Program Files\Microsoft Visual Studio .NET\Common7\Tools\Analyzer\varpc.exe (file missing)



    Active Scan
    Incident Status Location Adware:adwareprogram Not disinfected C:\WINNT\SYSTEM32\data.~
    Spyware:spyware/betterinet Not disinfected C:\WINNT\SYSTEM32\in10b6s.dll
    Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\administrator\Local Settings\Temporary Internet Files\Ssk.log
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\administrator\cookies\[email protected][1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\administrator\cookies\[email protected][2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\administrator\cookies\[email protected][1].txt
    Potentially unwanted tool:Application/Psexec.A Not disinfected C:\!KillBox\psexec.exe
    Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
    Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
    Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
    Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt
    Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
    Spyware:Cookie/Errorguard Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
    Spyware:Cookie/go Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
    Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt

    Spyware:Cookie/Affiliate fuel Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][2].txt

    Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\administrator\Application Data\Earthlink\6.0\[email protected]\Cookies\[email protected][1].txt
    Adware:Adware/MediaTickets Not disinfected C:\Documents and Settings\administrator\Application Data\Webroot\Spy Sweeper\Logs\060120175509.ses
    Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\administrator\Cookies\[email protected][1].txt
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\administrator\Cookies\[email protected][2].txt
    Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\administrator\Cookies\[email protected][1].txt
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/435908

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice