1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Windows XP messaging subsystem spooler error

Discussion in 'Virus & Other Malware Removal' started by caldwelldr, Jan 14, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. caldwelldr

    caldwelldr Thread Starter

    Joined:
    Jan 7, 2005
    Messages:
    24
    Tech Suppory Guys/Gals, (Cookiegal, if you are available) -- I am having a problem with my email. I have a message stuck in my Outlook outbox and am unable to send or receive email. I have tried to delete with no success. I get the following error message: "Microsoft Windows (TM) messaging subsystem spooler has encountered a problem & needs to close.

    I did a goggle search and there are some fixes for printer problems associated with spooler applications, but, nothing exactly like this. I orginially thought this was a Windows error message problem, but, become rapidly convienced that it was caused by a virus.

    Therefore, I updated (currently on live update schedule) and ran my Norton Antivirus and Norton found some recent virus activity for: MHTMLRedirect.exe , downloader.troj , [email protected] , and Trojan Horse.

    I ran a hijack this log, which is below:

    Logfile of HijackThis v1.99.0
    Scan saved at 4:14:42 PM, on 1/14/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgbhp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Darrel Caldwell\Desktop\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104881148156
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187 207.69.188.186
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187 207.69.188.186
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


    What should I do to fix?? As you know this gets very frustrating especially when you run antivirus software.

    Thanks for your help!!

    Darrel
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,031
    That is an older version of HijackThis. Please get the new one and post a new log. You can get it here:

    HijackThis
     
  3. caldwelldr

    caldwelldr Thread Starter

    Joined:
    Jan 7, 2005
    Messages:
    24
    Cookiegal :) -- I downloaded the new version of Hijack and got the following log:

    Logfile of HijackThis v1.99.1
    Scan saved at 11:46:55 PM, on 1/15/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104881148156
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187 207.69.188.186
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187 207.69.188.186
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    Please let me know what to do!

    Thanks!

    Darrel
     
  4. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,031
    It looks like your anti-virus has been disabled.

    Download Cleanup from Here
    • A window will open and choose SAVE, then DESKTOP as the destination.
    • On your Desktop, click on Cleanup40.exe icon.
    • Then, click RUN and place a checkmark beside "I Agree"
    • Then click NEXT followed by START and OK.
    • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
    • Click OK
    • DO NOT RUN IT YET


    Download the trial version of Ewido Security Suite here.
    • Install ewido.
    • During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido
    • It will prompt you to update click the OK button and it will go to the main screen
    • On the left side of the main screen click update
    • Click on Start and let it update.
    • DO NOT run a scan yet. You will do that later in safe mode.

    Click here for info on how to boot to safe mode if you don't already know how.


    Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


    Restart your computer into safe mode now. Perform the following steps in safe mode:


    Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When the scan is finished, look at the bottom of the screen and click the Save report button.
    • Save the report to your desktop



    Run Cleanup:
    • Click on the "Cleanup" button and let it run.
    • Once it’s done, close the program.


    Go to Control Panel - Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    Restart back into Windows normally now.


    Do a Panda Active Scan. Be sure to save the log it creates.


    Come back here and post a new HijackThis log, as well as the logs from the Ewido and Panda scans.
     
  5. caldwelldr

    caldwelldr Thread Starter

    Joined:
    Jan 7, 2005
    Messages:
    24
    Cookiegal -- Did a virus disable my Norton anti-virus software?? What does it take to protect yourself from these viruses??

    I followed your directions and ran Ewido, scanner (eliminated 750+ Mb of temporary files), and Panda Active. The virus logs are as follows:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:26:56 AM, on 1/17/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgbhp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\HijackThis\HijackThis.exe
    C:\WINDOWS\System32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and

    Settings\Darrel Caldwell\Desktop\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104881148156
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

    http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187

    207.69.188.186
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187

    207.69.188.186
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program

    Files\NavNT\rtvscan.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 11:35:42 PM, 1/16/2006
    + Report-Checksum: 1F069154

    + Scan result:

    HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Adbrite : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected]q-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected]q-2-2.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected]q-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Local Settings\Temp\5B.tmp -> Downloader.Small.aef : Cleaned with backup
    C:\Documents and Settings\Darrel Caldwell\Local Settings\Temp\5D.tmp -> Downloader.IstBar.gv : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.X10 : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Excite : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected]verture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Pro-market : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Specificpop : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Weborama : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\RECYCLER\S-1-5-21-1567011825-1244572991-514352727-1005\Dc64.dll -> Downloader.Agent.bc : Cleaned with backup
    C:\RECYCLER\S-1-5-21-1567011825-1244572991-514352727-1005\Dc66.dll -> Downloader.Agent.bc : Cleaned with backup
    C:\RECYCLER\S-1-5-21-1567011825-1244572991-514352727-1005\Dc69\backup-20050108-230415-804.dll -> Downloader.Agent.bc : Cleaned with backup
    C:\WINDOWS\Darrel Caldwell.acl:lbnlv -> Downloader.Agent.al : Cleaned with backup
    C:\WINDOWS\DtcInstall.log:sglgy -> Downloader.Agent.gs : Cleaned with backup
    C:\WINDOWS\mfckf32.exe -> Downloader.Agent.al : Cleaned with backup
    C:\WINDOWS\Q810577.log:fraik -> Downloader.Agent.gs : Cleaned with backup
    C:\WINDOWS\smscfg.ini:vjkpy -> Downloader.Agent.gs : Cleaned with backup
    C:\WINDOWS\system32\addbf.exe -> Downloader.Agent.al : Cleaned with backup
    C:\WINDOWS\system32\ntkm32.exe -> Downloader.Agent.al : Cleaned with backup


    ::Report End


    It appears that I have lots of viruses + spyware. I will have to upload the Panda Active Scan via another thread, since I am exceeding the limit.

    What do I do now?

    Thanks for your help -- Cookiegal (y)

    Darrel
     
  6. caldwelldr

    caldwelldr Thread Starter

    Joined:
    Jan 7, 2005
    Messages:
    24
    Cookie Girl (y) Attached is the Panda Active Scan:


    Incident Status Location

    Spyware:spyware/petro-line Not disinfected C:\Documents and Settings\Darrel Caldwell\Favorites\SITES ABOUT\Ab scissor.url
    Adware:adware/searchaid Not disinfected C:\Documents and Settings\Darrel Caldwell\Favorites\Search the web.url
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][1].txt
    Adware:Adware/Winshow Not disinfected C:\WINDOWS\emash.dll
    Virus:Trojan Horse Disinfected Personal Folders\Inbox\Veronica Caldwell\Problems with your Earthlink account.\ATT00008.html
    Virus:Trj/Citifraud.A Disinfected Personal Folders\Darrel's old email messages\Please Confirm Your SunTrust Bank Internet Banking Identity\ATT00001.html
    Virus:Exploit/URLSpoof Disinfected Personal Folders\Darrel's old email messages\Important Information Regarding Your Account\ATT00006.html
    Virus:Trj/Citifraud.A Disinfected Personal Folders\Darrel's old email messages\Washington Mutual - confirm your details to avoid service cancellation [Fri, 03 Dec 2004 12:40:50 +0\ATT00000.html
    Virus:Trj/Citifraud.A Disinfected Personal Folders\Darrel's old email messages\Washington Mutual - confirm your details to avoid service cancellation [Fri, 03 Dec 2004 12:40:50 +0\MESSAGE.TXT[~0000001.~]
    Virus:Trj/Mitglieder.BP Disinfected Personal Folders\Darrel's old email messages\price_08.zip[prs_03.exe]
    Virus:Exploit/URLSpoof Disinfected Personal Folders\Darrel's old email messages\Important Information Regarding Your Account\ATT00005.html
    Virus:Trj/Mitglieder.BO Not disinfected Personal Folders\Darrel's old email messages\34544.rar[dddd.exe]
    Virus:Exploit/URLSpoof Disinfected Personal Folders\Darrel's old email messages\Important Information Regarding Your Account\ATT00007.html
    Virus:W32/Sober.U.worm!CME-414 Disinfected Personal Folders\Darrel's old email messages\I've_got your EMail on my_account!\your_text.zip[mail.document.Datex-packed.exe]
    Adware:Adware/Winshow Not disinfected C:\WINDOWS\rzgvz.dll
    Adware:Adware/Winshow Not disinfected C:\WINDOWS\system32\duaqq.dll
    Adware:Adware/Winshow Not disinfected C:\WINDOWS\system32\oujbv.dll
    Virus:Trj/Mitglieder.BO Not disinfected Personal Folders\Darrel's old email messages\34544.rar[dddd.exe]
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\Jqan.bat
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\ttaxol[20].scr
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\.exe
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\Help....scr
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\SRC.pif
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\Wizard.pif
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\ttaxol[28].pif
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\rock.exe
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\credit.scr
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\ttaxol[12].bat
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\rolex[1].pif
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\to
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\Reed.pif
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Warning: could not send message for past 4 hours\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Warning: could not send message for past 4 hours\additions[1].pif
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\TYPE.exe
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\Coip.scr
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Mail System Error - Returned Mail\rock.exe
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\tab50x75[1].bat
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Warning: could not send message for past 4 hours\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Warning: could not send message for past 4 hours\tab50x75[1].bat
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Warning: could not send message for past 4 hours\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Warning: could not send message for past 4 hours\color.pif
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: see transcript for details\color.pif
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Mail System Error - Returned Mail\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Mail System Error - Returned Mail\align.pif
    Virus:Exploit/iFrame Disinfected Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\~0000004.~
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\additions[1].pif
    Virus:W32/Klez.I Disinfected Local Folders\Deleted Items\Returned mail--"window.top.name "\SRC.scr



    Hope this helps!

    Darrel
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,031
    Try uninstalling Norton via the Control Panel and then reinstalling it.


    Click Here and download Killbox and save it to your desktop but don’t run it yet.


    Then boot to safe mode:


    How to restart to safe mode


    Double-click on Killbox.exe to run it.
    • Put a tick by Standard File Kill.
    • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

      C:\WINDOWS\emash.dll
      C:\WINDOWS\rzgvz.dll
      C:\WINDOWS\system32\duaqq.dll
      C:\WINDOWS\system32\oujbv.dll


    • Click on the button that has the red circle with the X in the middle after you enter each file.
    • It will ask for confirmation to delete the file.
    • Click Yes.
    • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    • Killbox may tell you that one or more files do not exist.
    • If that happens, just continue on with all the files. Be sure you don't miss any.
    • Next in Killbox go to Tools > Delete Temp Files
    • In the window that pops up, put a check by ALL the options there except these three:
      • XP Prefetch
      • Recent
      • History
    • Now click the Delete Selected Temp Files button.
    • Exit the Killbox.


    Delete these items from your favourites:

    C:\Documents and Settings\Darrel Caldwell\Favorites\SITES ABOUT\Ab scissor.url
    C:\Documents and Settings\Darrel Caldwell\Favorites\Search the web.url


    Boot back to Windows normally and post another HijackThis log please.
     
  8. caldwelldr

    caldwelldr Thread Starter

    Joined:
    Jan 7, 2005
    Messages:
    24
    Cookiegal (y) I followed your directions & deleted Norton antivirus, installed Killerbox, went to safe mode, deleted all of the files you identified, rebooted in normal mode and ran the below Hijack This file:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:54:59 PM, on 1/17/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and

    Settings\Darrel Caldwell\Desktop\SpywareGuard\dlprotect.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104881148156
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

    http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187

    207.69.188.186
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187

    207.69.188.186
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe


    I am going to reinstall the full Symatec virus + firewall as soon as I send this message, since I have to download from the internet & it is a big file.

    Also, retried the inbox, but, continue to get the same spooler error message.

    Please let me to know what to do. Hopefully, all of the deleted viruses + spyware + files tonight have deleted most of the virus problems!

    Thanks for the help! Let me know what to do!

    Darrel
     
  9. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,031
    Run this removal tool:

    http://securityresponse.symantec.com/avcenter/FixKlez.com


    Delete the following e-mails from Darrel's old email messages, particularly the first one as it was not disinfected by Panda whereas the others were.

    Personal Folders\Darrel's old email messages\34544.rar[dddd.exe]

    Personal Folders\Darrel's old email messages\Please Confirm Your SunTrust Bank Internet Banking Identity\ATT00001.html

    Personal Folders\Darrel's old email messages\Important Information Regarding Your Account\ATT00006.html

    Personal Folders\Darrel's old email messages\Washington Mutual - confirm your details to avoid service cancellation [Fri, 03 Dec 2004 12:40:50 +0\ATT00000.html

    Personal Folders\Darrel's old email messages\Washington Mutual - confirm your details to avoid service cancellation [Fri, 03 Dec 2004 12:40:50
    +0\MESSAGE.TXT[~0000001.~]

    Personal Folders\Darrel's old email messages\price_08.zip[prs_03.exe]

    Personal Folders\Darrel's old email messages\Important Information Regarding Your Account\ATT00005.html

    Personal Folders\Darrel's old email messages\Important Information Regarding Your Account\ATT00007.html

    Personal Folders\Darrel's old email messages\I've_got your EMail on my_account!\your_text.zip[mail.document.Datex-packed.exe]


    Delete these e-mails from your deleted items (or delete everything in there):

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\Jqan.bat

    Local Folders\Deleted Items\Returned mail: see transcript for details\ttaxol[20].scr

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\.exe

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\Help....scr

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\SRC.pif

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\Wizard.pif

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\ttaxol[28].pif

    Local Folders\Deleted Items\Returned mail: see transcript for details\rock.exe

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\credit.scr

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\ttaxol[12].bat

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\rolex[1].pif

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\to

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\Reed.pif

    Local Folders\Deleted Items\Warning: could not send message for past 4 hours\~0000004.~

    Local Folders\Deleted Items\Warning: could not send message for past 4 hours\additions[1].pif

    Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\~0000004.~

    Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\TYPE.exe

    Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\~0000004.~

    Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\Coip.scr

    Local Folders\Deleted Items\Mail System Error - Returned Mail\rock.exe

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\tab50x75[1].bat

    Local Folders\Deleted Items\Warning: could not send message for past 4 hours\~0000004.~

    Local Folders\Deleted Items\Warning: could not send message for past 4 hours\tab50x75[1].bat

    Local Folders\Deleted Items\Warning: could not send message for past 4 hours\~0000004.~

    Local Folders\Deleted Items\Warning: could not send message for past 4 hours\color.pif

    Local Folders\Deleted Items\Returned mail: see transcript for details\~0000004.~

    Local Folders\Deleted Items\Returned mail: see transcript for details\color.pif

    Local Folders\Deleted Items\Mail System Error - Returned Mail\~0000004.~

    Local Folders\Deleted Items\Mail System Error - Returned Mail\align.pif

    Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\~0000004.~

    Local Folders\Deleted Items\Returned mail: Cannot send message within 4 days\additions[1].pif

    Local Folders\Deleted Items\Returned mail--"window.top.name "\SRC.scr


    Delete this e-mail from Veronica's inbox:

    Personal Folders\Inbox\Veronica Caldwell\Problems with your Earthlink account.\ATT00008.html


    Reboot and post a new HijackThis log please once you've reinstalled Norton.
     
  10. caldwelldr

    caldwelldr Thread Starter

    Joined:
    Jan 7, 2005
    Messages:
    24
    Cookiegal -- I am still experiencing new viruses. My symantec anti-virus software found the following new viruses: Adware.CWSIEFeats and CoolWebSearchIEFeats. I have also been experiencing several cases of the IE current user homepage, IE current user and IE local machine homepage being reset to page which resemble symantec, msn, and microsoft pages, for which I rejected the revisions. I am also getting ccApp message on shutdown sometimes.

    I completed your previous instructions, although it was pretty difficult to find some of the files to remove, so not 100% positive I found all of them. Also, Outlook appears to be now working! It appears to me that if I can get the final viruses deleted and get an optimium/compatible environment between XP SPII, Symantec firewall & anti-virus software that I may have it fixed.

    Below is the recent HijackThis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:52:29 PM, on 1/28/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgbhp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and

    Settings\Darrel Caldwell\Desktop\SpywareGuard\dlprotect.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104881148156
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

    http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187

    207.69.188.186
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187

    207.69.188.186
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec

    Client Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client

    Firewall\ISSVC.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec

    AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common

    Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

    Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec

    AntiVirus\Rtvscan.exe
    O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client

    Security\Symantec Client Firewall\SymSPort.exe

    Thanks for your help! Please let me know what to do now!

    Darrel
     
  11. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,031
    Where does Norton say those viruses are located?
     
  12. caldwelldr

    caldwelldr Thread Starter

    Joined:
    Jan 7, 2005
    Messages:
    24
    Cookiegal -- Of the 40 viruses found, the majority are in C:\Windows\ but 4 or 5 are in the following: C:\system volume information\_restore{87976B-5886-AC67-9A4ED891....

    My computer takes excessively long to boot up. Would it make sense to remove the ymantec firewall?

    Thanks for your help!

    Darrel


    Darrel
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,031
    No, do not remove the Norton firewall.


    Please run Ewido again and do another Panda active scan and post the logs from each please.
     
  14. caldwelldr

    caldwelldr Thread Starter

    Joined:
    Jan 7, 2005
    Messages:
    24
    Cookiegal - I removed the Symantec software because I continued to get continual Windows installers errors and the computer was running so slow that it was difficult to deal with. I ran the Symantec antivirus before I removed it and their were 40+ viruses found. I then reactivated the XP SPII firewall & reloaded the Symantec anti-viruses and immediately updated it. There were no viruses found by Symantec anti-virus software and the computer was running more normally. Then, I followed your direction and ran a full Ewido complete scan in the safe mode, which found 6 errors and corrected them, and also ran the cleanup40 scan while I was in the safe mode. Went back to normal mode and ran the Panda Active scan which found 2 viruses, one appears to be spyware and the other is malious and dangerous (Trj/Mitglieder.BO). The logs are as follows:

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 11:52:48 PM, 1/28/2006
    + Report-Checksum: 69F9C517

    + Scan result:

    C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Veronica Caldwell\Cookies\veronica [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup


    ::Report End


    Incident Status Location

    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Darrel Caldwell\Cookies\darrel [email protected][2].txt
    Virus:Trj/Mitglieder.BO Not disinfected Personal Folders\Darrel's old email messages\34544.rar[dddd.exe]

    Logfile of HijackThis v1.99.1
    Scan saved at 11:38:55 AM, on 1/29/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\Program Files\NavNT\vptray.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Program Files\InterMute\SpySubtract\SpySub.exe
    C:\Program Files\Handspring\HOTSYNC.EXE
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    C:\WINDOWS\system32\MsgSys.EXE
    C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgbhp.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\WINDOWS\system32\MAPISP32.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.start.earthlink.net/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

    5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Documents and

    Settings\Darrel Caldwell\Desktop\SpywareGuard\dlprotect.dll
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Documents and Settings\Darrel Caldwell\Desktop\SpywareGuard\sgmain.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
    O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office\MSOFFICE.EXE
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

    C:\WINDOWS\System32\msjava.dll
    O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

    http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1104881148156
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

    http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187

    207.69.188.186
    O17 - HKLM\System\CS1\Services\Tcpip\..\{3523F1AC-1534-4423-81D9-3276B39F12CA}: NameServer = 207.69.188.187

    207.69.188.186
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program

    Files\NavNT\rtvscan.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda

    Software\PavShld\pavprsrv.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

    It appears to be that the primary final issues is eliminating the Trj/Mitglieder.BO virus.

    Please let me know what to do now!

    Thanks!!

    Darrel
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,031
    Go to this folder and delete any e-mail that look like this:

    Personal Folders\Darrel's old email messages\34544.rar[dddd.exe]

    Let me know if you find it please.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/434110

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice