Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

"DANGER: SPYWARE" desktop, Slim Shield(RESOLVED)

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics
View previous topic :: View next topic  
Author Message
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Sat Apr 02, 2005 11:17 am    Post subject: "DANGER: SPYWARE" desktop, Slim Shield(RESOLVED) Reply with quote
I've done as much as I can reading your very helpful guides and others' threads but I'm going to need some personal attention please.

It started with the about:blank home page and changing my default search engine in IE. Next thing you know my desktop had been hijacked.

So far I have:
*Downloaded Windows updates except SP2 because Dell said if you've got spyware problems take care of them first
*Downloaded and ran CWShredder, Spybot, AdAware, and Microsoft beta program, they all found stuff that has been removed
*Upgraded to 2005 Norton Internet Security, ran virus scan and deleted some bad stuff
*Manually deleted temp and temporary internet files for all users except 1 DAT file that can't be deleted (I can't empty my Norton protected recyle bin since I can't right click on my desktop)

Here's my hjt log, thanks:

Logfile of HijackThis v1.99.1
Scan saved at 1:58:34 PM, on 4/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\Mpp.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Documents and Settings\Robert\Start Menu\Programs\Startup\winupdate24050110[1].exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Nvt] C:\WINDOWS\system32\Mpp.exe
O4 - HKLM\..\Run: [Hem] C:\WINDOWS\system32\Ial.exe
O4 - HKLM\..\Run: [Rni] C:\WINDOWS\system32\Pel.exe
O4 - HKLM\..\Run: [Uup] C:\WINDOWS\system32\Mov.exe
O4 - HKLM\..\Run: [Dsi] C:\WINDOWS\system32\Bie.exe
O4 - HKLM\..\Run: [Avs] C:\WINDOWS\system32\Emv.exe
O4 - HKLM\..\Run: [Vqv] C:\WINDOWS\Jia.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ans] C:\WINDOWS\system32\Tvg.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Lvb] C:\WINDOWS\system32\Fpk.exe
O4 - HKLM\..\Run: [Qns] C:\WINDOWS\Uiq.exe
O4 - HKLM\..\Run: [Rjp] C:\WINDOWS\Uop.exe
O4 - HKLM\..\Run: [Hea] C:\WINDOWS\Fse.exe
O4 - HKLM\..\Run: [Dhv] C:\WINDOWS\system32\Bfj.exe
O4 - HKLM\..\Run: [Rqb] C:\WINDOWS\system32\Aos.exe
O4 - HKLM\..\Run: [Klu] C:\WINDOWS\Ote.exe
O4 - HKLM\..\Run: [Prn] C:\WINDOWS\system32\Ubn.exe
O4 - HKLM\..\Run: [Qnc] C:\WINDOWS\system32\Bku.exe
O4 - HKLM\..\Run: [Olk] C:\WINDOWS\Tfi.exe
O4 - HKLM\..\Run: [Qmd] C:\WINDOWS\Nuv.exe
O4 - HKLM\..\Run: [Ahg] C:\WINDOWS\system32\Urg.exe
O4 - HKLM\..\Run: [Ctu] C:\WINDOWS\Sau.exe
O4 - HKLM\..\Run: [Vup] C:\WINDOWS\system32\Pct.exe
O4 - HKLM\..\Run: [Uen] C:\WINDOWS\System32\Nvh.exe
O4 - HKLM\..\Run: [Pgo] C:\WINDOWS\Qdo.exe
O4 - HKLM\..\Run: [Haq] C:\WINDOWS\Rfu.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [The] C:\WINDOWS\System32\Mfs.exe
O4 - HKLM\..\Run: [Rin] C:\WINDOWS\Doh.exe
O4 - HKLM\..\Run: [Fka] C:\WINDOWS\System32\Eff.exe
O4 - HKLM\..\Run: [Oec] C:\WINDOWS\Ltb.exe
O4 - HKLM\..\Run: [Eec] C:\WINDOWS\Utn.exe
O4 - HKLM\..\Run: [Ldt] C:\WINDOWS\System32\Kur.exe
O4 - HKLM\..\Run: [Arh] C:\WINDOWS\Uvg.exe
O4 - HKLM\..\Run: [Ffh] C:\WINDOWS\System32\Hfd.exe
O4 - HKLM\..\Run: [Vqc] C:\WINDOWS\Glj.exe
O4 - HKLM\..\Run: [Dtr] C:\WINDOWS\Imc.exe
O4 - HKLM\..\Run: [Uvn] C:\WINDOWS\Lcs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Hem] C:\WINDOWS\system32\Ial.exe
O4 - HKCU\..\Run: [Anv] C:\WINDOWS\system32\Jkt.exe
O4 - HKCU\..\Run: [Khi] C:\WINDOWS\Vmq.exe
O4 - HKCU\..\Run: [Hli] C:\WINDOWS\Her.exe
O4 - HKCU\..\Run: [Ktm] C:\WINDOWS\system32\Ubh.exe
O4 - HKCU\..\Run: [Mav] C:\WINDOWS\Trd.exe
O4 - HKCU\..\Run: [Pla] C:\WINDOWS\Vvq.exe
O4 - HKCU\..\Run: [Jio] C:\WINDOWS\Bjg.exe
O4 - HKCU\..\Run: [Dsi] C:\WINDOWS\system32\Bie.exe
O4 - HKCU\..\Run: [Avs] C:\WINDOWS\system32\Emv.exe
O4 - HKCU\..\Run: [Rpj] C:\WINDOWS\Unt.exe
O4 - HKCU\..\Run: [Oku] C:\WINDOWS\Moo.exe
O4 - HKCU\..\Run: [Esb] C:\WINDOWS\system32\Npf.exe
O4 - HKCU\..\Run: [Hro] C:\WINDOWS\Rqn.exe
O4 - HKCU\..\Run: [Pdc] C:\WINDOWS\Qfg.exe
O4 - HKCU\..\Run: [Flc] C:\WINDOWS\Cql.exe
O4 - HKCU\..\Run: [Nmt] C:\WINDOWS\system32\Ghv.exe
O4 - HKCU\..\Run: [Ans] C:\WINDOWS\system32\Tvg.exe
O4 - HKCU\..\Run: [Lvb] C:\WINDOWS\system32\Fpk.exe
O4 - HKCU\..\Run: [Qns] C:\WINDOWS\Uiq.exe
O4 - HKCU\..\Run: [Rjp] C:\WINDOWS\Uop.exe
O4 - HKCU\..\Run: [Lqp] C:\WINDOWS\Vbe.exe
O4 - HKCU\..\Run: [Emf] C:\WINDOWS\Ohs.exe
O4 - HKCU\..\Run: [Nrk] C:\WINDOWS\Vna.exe
O4 - HKCU\..\Run: [Njl] C:\WINDOWS\system32\Nqh.exe
O4 - HKCU\..\Run: [Hea] C:\WINDOWS\Fse.exe
O4 - HKCU\..\Run: [Klu] C:\WINDOWS\Ote.exe
O4 - HKCU\..\Run: [Prn] C:\WINDOWS\system32\Ubn.exe
O4 - HKCU\..\Run: [Qnc] C:\WINDOWS\system32\Bku.exe
O4 - HKCU\..\Run: [Olk] C:\WINDOWS\Tfi.exe
O4 - HKCU\..\Run: [Qmd] C:\WINDOWS\Nuv.exe
O4 - HKCU\..\Run: [Ahg] C:\WINDOWS\system32\Urg.exe
O4 - HKCU\..\Run: [Ctu] C:\WINDOWS\Sau.exe
O4 - HKCU\..\Run: [Vup] C:\WINDOWS\system32\Pct.exe
O4 - HKCU\..\Run: [Cfm] C:\WINDOWS\Tpi.exe
O4 - HKCU\..\Run: [Nli] C:\WINDOWS\Vgv.exe
O4 - HKCU\..\Run: [Fif] C:\WINDOWS\Gjg.exe
O4 - HKCU\..\Run: [Pqq] C:\WINDOWS\system32\Ufr.exe
O4 - HKCU\..\Run: [Jmg] C:\WINDOWS\system32\Eqr.exe
O4 - HKCU\..\Run: [Bmg] C:\WINDOWS\Mgo.exe
O4 - HKCU\..\Run: [Srh] C:\WINDOWS\Ifm.exe
O4 - HKCU\..\Run: [Gca] C:\WINDOWS\system32\Htb.exe
O4 - HKCU\..\Run: [Nol] C:\WINDOWS\system32\Die.exe
O4 - HKCU\..\Run: [Hgf] C:\WINDOWS\system32\Nuv.exe
O4 - HKCU\..\Run: [Pjg] C:\WINDOWS\System32\Jlk.exe
O4 - HKCU\..\Run: [Uen] C:\WINDOWS\System32\Nvh.exe
O4 - HKCU\..\Run: [Pgo] C:\WINDOWS\Qdo.exe
O4 - HKCU\..\Run: [Haq] C:\WINDOWS\Rfu.exe
O4 - HKCU\..\Run: [The] C:\WINDOWS\System32\Mfs.exe
O4 - HKCU\..\Run: [Rin] C:\WINDOWS\Doh.exe
O4 - HKCU\..\Run: [Fka] C:\WINDOWS\System32\Eff.exe
O4 - HKCU\..\Run: [Oec] C:\WINDOWS\Ltb.exe
O4 - HKCU\..\Run: [Ldt] C:\WINDOWS\System32\Kur.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\Rak.exe
O4 - HKCU\..\Run: [Fll] C:\WINDOWS\Srf.exe
O4 - HKCU\..\Run: [Ffh] C:\WINDOWS\System32\Hfd.exe
O4 - HKCU\..\Run: [Dtr] C:\WINDOWS\Imc.exe
O4 - HKCU\..\Run: [Uvn] C:\WINDOWS\Lcs.exe
O4 - Startup: winupdate24050110[1].exe
O4 - Startup: winupdate57930411[1].exe
O4 - Startup: winupdate64981149[1].exe
O4 - Startup: winupdate71993161[1].exe
O4 - Startup: winupdate90290137[1].exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5EFF8B09-B211-42B7-805E-C4670BF8C830} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Sun Apr 03, 2005 1:43 pm    Post subject: Reply with quote
Welcome to Spyware Warrior forums.

I would first like to ask what it was that Spybot found and removed. Slimshield is supposedly detected and removed by Spybot as of the MAr. 19 definitions update, can you verify this for us please?

Just go into the report and see what was deleted. You can find it here:

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Logs<<<--in this folder.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Sun Apr 03, 2005 2:25 pm    Post subject: Reply with quote
Thanks. There were 3 files generated from my first scan, 2 labeled "checks" and 1 "fixes".

Here is what was found:
31.03.2005 23:16:18 - ##### check started #####
31.03.2005 23:16:18 - ### Version: 1.3
31.03.2005 23:16:18 - ### Date: 3/31/2005 11:16:18 PM
31.03.2005 23:16:18 - ##### checking bots #####
31.03.2005 23:16:45 - found: TIBS User settings
31.03.2005 23:16:45 - found: TIBS Program directory
31.03.2005 23:16:45 - found: TIBS Executable
31.03.2005 23:16:51 - found: CoolWWWSearch.Aff.Winshow Bad Favorite
31.03.2005 23:17:12 - found: FunWebProducts Class ID
31.03.2005 23:17:12 - found: FunWebProducts Program directory
31.03.2005 23:17:28 - found: MyWebSearch Autorun settings (MyWebSearch Email Plugin)
31.03.2005 23:17:28 - found: MyWebSearch Program file
31.03.2005 23:17:28 - found: MyWebSearch Browser helper object
31.03.2005 23:17:28 - found: MyWebSearch Class ID
31.03.2005 23:17:28 - found: MyWebSearch Class ID
31.03.2005 23:17:28 - found: MyWebSearch Class ID
31.03.2005 23:17:28 - found: MyWebSearch Class ID
31.03.2005 23:17:28 - found: MyWebSearch Class ID
31.03.2005 23:17:28 - found: MyWebSearch Class ID
31.03.2005 23:17:28 - found: MyWebSearch Class ID
31.03.2005 23:17:28 - found: MyWebSearch Class ID
31.03.2005 23:17:28 - found: MyWebSearch Root class
31.03.2005 23:17:28 - found: MyWebSearch Root class
31.03.2005 23:17:28 - found: MyWebSearch Root class
31.03.2005 23:17:28 - found: MyWebSearch Root class
31.03.2005 23:17:28 - found: MyWebSearch Root class
31.03.2005 23:17:28 - found: MyWebSearch Root class
31.03.2005 23:17:28 - found: MyWebSearch Type library
31.03.2005 23:17:28 - found: MyWebSearch Type library
31.03.2005 23:17:28 - found: MyWebSearch Type library
31.03.2005 23:17:28 - found: MyWebSearch Type library
31.03.2005 23:17:28 - found: MyWebSearch Type library
31.03.2005 23:17:28 - found: MyWebSearch Type library
31.03.2005 23:17:28 - found: MyWebSearch Browser helper object
31.03.2005 23:17:28 - found: MyWebSearch Settings
31.03.2005 23:17:28 - found: MyWebSearch Settings
31.03.2005 23:17:28 - found: MyWebSearch Settings
31.03.2005 23:17:28 - found: MyWebSearch Uninstall settings
31.03.2005 23:17:28 - found: MyWebSearch Settings
31.03.2005 23:17:28 - found: MyWebSearch Program directory
31.03.2005 23:17:28 - found: MyWebSearch Installer
31.03.2005 23:17:28 - found: Haxdoor-H Settings
31.03.2005 23:17:41 - found: FunWeb Root class
31.03.2005 23:17:41 - found: FunWeb Root class
31.03.2005 23:17:41 - found: FunWeb Class ID
31.03.2005 23:17:41 - found: FunWeb Root class
31.03.2005 23:17:41 - found: FunWeb Class ID
31.03.2005 23:17:41 - found: FunWeb Root class
31.03.2005 23:17:41 - found: FunWeb Root class
31.03.2005 23:17:41 - found: FunWeb Class ID
31.03.2005 23:17:41 - found: FunWeb Root class
31.03.2005 23:17:41 - found: FunWeb Root class
31.03.2005 23:17:41 - found: FunWeb Class ID
31.03.2005 23:17:41 - found: FunWeb Interface
31.03.2005 23:17:41 - found: FunWeb Interface
31.03.2005 23:17:41 - found: FunWeb Settings
31.03.2005 23:17:41 - found: FunWeb Settings
31.03.2005 23:17:41 - found: FunWeb Settings
31.03.2005 23:17:59 - found: Haxdoor-H Settings
31.03.2005 23:17:59 - found: Haxdoor-H Data
31.03.2005 23:17:59 - found: Haxdoor-H Library
31.03.2005 23:18:01 - found: MyWebSearch Class ID
31.03.2005 23:18:01 - found: MyWebSearch Interface
31.03.2005 23:18:01 - found: MyWebSearch Interface
31.03.2005 23:18:01 - found: MyWebSearch Interface
31.03.2005 23:18:01 - found: MyWebSearch Interface
31.03.2005 23:18:01 - found: MyWebSearch Interface
31.03.2005 23:18:01 - found: MyWebSearch Interface
31.03.2005 23:18:01 - found: MyWebSearch Interface
31.03.2005 23:18:01 - found: MyWebSearch Interface
31.03.2005 23:18:01 - found: MyWebSearch Interface
31.03.2005 23:18:01 - found: MyWebSearch Type library
31.03.2005 23:18:01 - found: MyWebSearch Settings
31.03.2005 23:18:18 - found: Startpage-EH Bookmark (Internet Explorer: Robert)
31.03.2005 23:18:18 - ##### check finished #####

And what was fixed:
--- Report generated: 2005-03-31 23:21 ---

Startpage-EH: Bookmark (Internet Explorer: Robert) (Bookmark, fixed)


CoolWWWSearch.Aff.Winshow: Bad Favorite (File, fixed)
C:\Documents and Settings\Robert\Favorites\Search the web.url

FunWeb: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts

FunWeb: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}

FunWeb: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{8E6F1832-9607-4440-8530-13BE7C4B1D14}

FunWeb: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{98D9753D-D73B-42D5-8C85-4469CDA897AB}

FunWeb: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8}

FunWeb: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}

FunWeb: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}

FunWeb: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterSettingsControl.1

FunWeb: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterSettingsControl

FunWeb: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterBarButton.1

FunWeb: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\FunWebProducts.PopSwatterBarButton

FunWeb: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu.1

FunWeb: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu.2

FunWeb: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\FunWebProducts.HTMLMenu

FunWeb: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\FunWebProducts

FunWeb: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Fun Web Products

FunWebProducts: Program directory (Directory, fixed)
C:\Program Files\FunWebProducts\

FunWebProducts: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239}

Haxdoor-H: Library (File, fixed)
C:\WINDOWS\SYSTEM32\klogini.dll

Haxdoor-H: Data (File, fixed)
C:\WINDOWS\SYSTEM32\i.a3d

Haxdoor-H: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StackSize

Haxdoor-H: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Impersonate

MyWebSearch: Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\sources\f3PopularScreensavers

MyWebSearch: Installer (File, fixed)
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.8-2.inf

MyWebSearch: Program file (File, fixed)
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

MyWebSearch: Autorun settings (MyWebSearch Email Plugin) (Registry value, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin

MyWebSearch: Browser helper object (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\FocusInteractive

MyWebSearch: Browser helper object (Registry key, fixed)
HKEY_USERS\S-1-5-21-4131216973-3906284807-1653038694-1005\Software\MyWebSearch

MyWebSearch: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{A4730EBE-43A6-443e-9776-36915D323AD3}

MyWebSearch: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}

MyWebSearch: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{A9571378-68A1-443d-B082-284F960C6D17}

MyWebSearch: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{9FF05104-B030-46FC-94B8-81276E4E27DF}

MyWebSearch: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{938AA51A-996C-4884-98CE-80DD16A5C9DA}

MyWebSearch: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}

MyWebSearch: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}

MyWebSearch: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}

MyWebSearch: Class ID (Registry key, fixed)
HKEY_CLASSES_ROOT\CLSID\{07B18EA3-A523-4961-B6BB-170DE4475CCA}

MyWebSearch: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}

MyWebSearch: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}

MyWebSearch: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}

MyWebSearch: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}

MyWebSearch: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}

MyWebSearch: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}

MyWebSearch: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}

MyWebSearch: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}

MyWebSearch: Interface (Registry key, fixed)
HKEY_CLASSES_ROOT\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}

MyWebSearch: Program directory (Directory, fixed)
C:\Program Files\MyWebSearch\

MyWebSearch: Root class (Registry key, fixing failed)
HKEY_CLASSES_ROOT\ScreenSaverControl.ScreenSaverInstaller.1

MyWebSearch: Root class (Registry key, fixing failed)
HKEY_CLASSES_ROOT\ScreenSaverControl.ScreenSaverInstaller

MyWebSearch: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\MyWebSearchToolBar.SettingsPlugin.1

MyWebSearch: Root class (Registry key, fixed)
HKEY_CLASSES_ROOT\MyWebSearchToolBar.SettingsPlugin

MyWebSearch: Root class (Registry key, fixing failed)
HKEY_CLASSES_ROOT\MyWebSearch.OutlookAddin.1

MyWebSearch: Root class (Registry key, fixing failed)
HKEY_CLASSES_ROOT\MyWebSearch.OutlookAddin

MyWebSearch: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\MyWebSearch

MyWebSearch: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin

MyWebSearch: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin

MyWebSearch: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}

MyWebSearch: Type library (Registry key, fixed)
HKEY_CLASSES_ROOT\TypeLib\{07B18EA0-A523-4961-B6BB-170DE4475CCA}

MyWebSearch: Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{F42228FB-E84E-479E-B922-FBBD096E792C}

MyWebSearch: Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{E47CAEE0-DEEA-464A-9326-3F2801535A4D}

MyWebSearch: Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{ADB01E80-3C79-4272-A0F1-7B2BE7A782DC}

MyWebSearch: Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14}

MyWebSearch: Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9}

MyWebSearch: Type library (Registry key, fixing failed)
HKEY_CLASSES_ROOT\TypeLib\{29D67D3C-509A-4544-903F-C8C1B8236554}

MyWebSearch: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall

TIBS: Executable (File, fixed)
C:\Program Files\WebSiteViewer\126099.exe

TIBS: Program directory (Directory, fixed)
C:\Program Files\WebSiteViewer\

TIBS: User settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-4131216973-3906284807-1653038694-1005\Software\WebSiteViewer


--- Spybot - Search && Destroy version: 1.3 ---
2005-03-03 Includes\Cookies.sbi
2005-03-16 Includes\Dialer.sbi
2005-03-17 Includes\Hijackers.sbi
2005-03-17 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-03-16 Includes\Malware.sbi
2005-03-17 Includes\PUPS.sbi
2005-03-17 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-03-17 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-03-16 Includes\Trojans.sbi
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Sun Apr 03, 2005 6:04 pm    Post subject: Reply with quote
OK, thanks for all of that.

Based on what the Spybot log says, it didn't do much in removal of the Slimshield files, as there was only one found which remotely resembled the charecteristics of the Slimshield infectors.

Please search for them manually, so we can be sure. Below are the criteria we have found.

You need to do a search for files by date created, they should all be on the bottom of the list, all files will be 3 letters in name, and always the first letter a capital. Size of exe is 7.5kb in size.

Look in system32 and windows folders.

Be sure and check the properties of each file, as there are many legit MS files.

There will also be some html files located in the windows folder as well, they can also be deleted.

Size will be 2-3 kb.

If needed:
DESKTOP HIJACK
Go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security" or similar. Select that entry and click the "Delete" button. Click OK then Apply and OK. That should get rid of it.

Once you have searched for all the files, and think they have been deleted, post a new HJT log and we will see whats left over if anything.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Sun Apr 03, 2005 10:50 pm    Post subject: Reply with quote
I deleted all the files in both folders. There were 3 files in the Windows folder that were created at the same time and that matched the file size of the others, but their naming was different, Hun.exe.bak, popup.html, and desktop.html.

Just in case this has anything to do with this, when I run NAV, I get a warning about 5 possible adware files but NAV doesn't delete or fix them. The name of the adware is Adware:Iefeats, and the 5 files are C:/m00.exe.js, C:/Windows/winyd.exe and xozyk.dll and C:/Windows/System32/javazf.exe and shsha32.exe. I ran Norton's removal tool and it says there are no files to remove even though I can clearly see they're there.

Finally, I can't get control of my desktop back. There is no "Security" entry, just "My Current Home Page".

Anyway, here is the hijackthis log, thanks:

Logfile of HijackThis v1.99.1
Scan saved at 2:37:06 AM, on 4/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Nvt] C:\WINDOWS\system32\Mpp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Hes] C:\WINDOWS\System32\Mop.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Hem] C:\WINDOWS\system32\Ial.exe
O4 - HKCU\..\Run: [Anv] C:\WINDOWS\system32\Jkt.exe
O4 - HKCU\..\Run: [Khi] C:\WINDOWS\Vmq.exe
O4 - HKCU\..\Run: [Hli] C:\WINDOWS\Her.exe
O4 - HKCU\..\Run: [Ktm] C:\WINDOWS\system32\Ubh.exe
O4 - HKCU\..\Run: [Mav] C:\WINDOWS\Trd.exe
O4 - HKCU\..\Run: [Pla] C:\WINDOWS\Vvq.exe
O4 - HKCU\..\Run: [Jio] C:\WINDOWS\Bjg.exe
O4 - HKCU\..\Run: [Dsi] C:\WINDOWS\system32\Bie.exe
O4 - HKCU\..\Run: [Avs] C:\WINDOWS\system32\Emv.exe
O4 - HKCU\..\Run: [Rpj] C:\WINDOWS\Unt.exe
O4 - HKCU\..\Run: [Oku] C:\WINDOWS\Moo.exe
O4 - HKCU\..\Run: [Esb] C:\WINDOWS\system32\Npf.exe
O4 - HKCU\..\Run: [Hro] C:\WINDOWS\Rqn.exe
O4 - HKCU\..\Run: [Pdc] C:\WINDOWS\Qfg.exe
O4 - HKCU\..\Run: [Flc] C:\WINDOWS\Cql.exe
O4 - HKCU\..\Run: [Nmt] C:\WINDOWS\system32\Ghv.exe
O4 - HKCU\..\Run: [Ans] C:\WINDOWS\system32\Tvg.exe
O4 - HKCU\..\Run: [Lvb] C:\WINDOWS\system32\Fpk.exe
O4 - HKCU\..\Run: [Qns] C:\WINDOWS\Uiq.exe
O4 - HKCU\..\Run: [Rjp] C:\WINDOWS\Uop.exe
O4 - HKCU\..\Run: [Lqp] C:\WINDOWS\Vbe.exe
O4 - HKCU\..\Run: [Emf] C:\WINDOWS\Ohs.exe
O4 - HKCU\..\Run: [Nrk] C:\WINDOWS\Vna.exe
O4 - HKCU\..\Run: [Njl] C:\WINDOWS\system32\Nqh.exe
O4 - HKCU\..\Run: [Hea] C:\WINDOWS\Fse.exe
O4 - HKCU\..\Run: [Klu] C:\WINDOWS\Ote.exe
O4 - HKCU\..\Run: [Prn] C:\WINDOWS\system32\Ubn.exe
O4 - HKCU\..\Run: [Qnc] C:\WINDOWS\system32\Bku.exe
O4 - HKCU\..\Run: [Olk] C:\WINDOWS\Tfi.exe
O4 - HKCU\..\Run: [Qmd] C:\WINDOWS\Nuv.exe
O4 - HKCU\..\Run: [Ahg] C:\WINDOWS\system32\Urg.exe
O4 - HKCU\..\Run: [Ctu] C:\WINDOWS\Sau.exe
O4 - HKCU\..\Run: [Vup] C:\WINDOWS\system32\Pct.exe
O4 - HKCU\..\Run: [Cfm] C:\WINDOWS\Tpi.exe
O4 - HKCU\..\Run: [Nli] C:\WINDOWS\Vgv.exe
O4 - HKCU\..\Run: [Fif] C:\WINDOWS\Gjg.exe
O4 - HKCU\..\Run: [Pqq] C:\WINDOWS\system32\Ufr.exe
O4 - HKCU\..\Run: [Jmg] C:\WINDOWS\system32\Eqr.exe
O4 - HKCU\..\Run: [Bmg] C:\WINDOWS\Mgo.exe
O4 - HKCU\..\Run: [Srh] C:\WINDOWS\Ifm.exe
O4 - HKCU\..\Run: [Gca] C:\WINDOWS\system32\Htb.exe
O4 - HKCU\..\Run: [Nol] C:\WINDOWS\system32\Die.exe
O4 - HKCU\..\Run: [Hgf] C:\WINDOWS\system32\Nuv.exe
O4 - HKCU\..\Run: [Pjg] C:\WINDOWS\System32\Jlk.exe
O4 - HKCU\..\Run: [Uen] C:\WINDOWS\System32\Nvh.exe
O4 - HKCU\..\Run: [Pgo] C:\WINDOWS\Qdo.exe
O4 - HKCU\..\Run: [Haq] C:\WINDOWS\Rfu.exe
O4 - HKCU\..\Run: [The] C:\WINDOWS\System32\Mfs.exe
O4 - HKCU\..\Run: [Rin] C:\WINDOWS\Doh.exe
O4 - HKCU\..\Run: [Fka] C:\WINDOWS\System32\Eff.exe
O4 - HKCU\..\Run: [Oec] C:\WINDOWS\Ltb.exe
O4 - HKCU\..\Run: [Ldt] C:\WINDOWS\System32\Kur.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\Rak.exe
O4 - HKCU\..\Run: [Fll] C:\WINDOWS\Srf.exe
O4 - HKCU\..\Run: [Ffh] C:\WINDOWS\System32\Hfd.exe
O4 - HKCU\..\Run: [Dtr] C:\WINDOWS\Imc.exe
O4 - HKCU\..\Run: [Uvn] C:\WINDOWS\Lcs.exe
O4 - HKCU\..\Run: [Gnq] C:\WINDOWS\System32\Hcp.exe
O4 - HKCU\..\Run: [Bgf] C:\WINDOWS\System32\Ddo.exe
O4 - HKCU\..\Run: [Bqq] C:\WINDOWS\Hef.exe
O4 - HKCU\..\Run: [Gfq] C:\WINDOWS\System32\Dtg.exe
O4 - HKCU\..\Run: [Cvj] C:\WINDOWS\System32\Jdr.exe
O4 - HKCU\..\Run: [Ebd] C:\WINDOWS\Bqk.exe
O4 - HKCU\..\Run: [Bku] C:\WINDOWS\Sdr.exe
O4 - HKCU\..\Run: [Rdl] C:\WINDOWS\Jbi.exe
O4 - HKCU\..\Run: [Euo] C:\WINDOWS\Bof.exe
O4 - HKCU\..\Run: [Ulp] C:\WINDOWS\Ibk.exe
O4 - HKCU\..\Run: [Nut] C:\WINDOWS\Aaa.exe
O4 - HKCU\..\Run: [Klo] C:\WINDOWS\Rbs.exe
O4 - HKCU\..\Run: [Vrt] C:\WINDOWS\Naf.exe
O4 - HKCU\..\Run: [Olu] C:\WINDOWS\System32\Qnj.exe
O4 - HKCU\..\Run: [Smh] C:\WINDOWS\Kul.exe
O4 - HKCU\..\Run: [Mln] C:\WINDOWS\Soh.exe
O4 - HKCU\..\Run: [Uml] C:\WINDOWS\System32\Avp.exe
O4 - HKCU\..\Run: [Bdb] C:\WINDOWS\System32\Usm.exe
O4 - HKCU\..\Run: [Ihh] C:\WINDOWS\Mgs.exe
O4 - HKCU\..\Run: [Bpd] C:\WINDOWS\Mau.exe
O4 - HKCU\..\Run: [Aeg] C:\WINDOWS\System32\Bro.exe
O4 - HKCU\..\Run: [Fmf] C:\WINDOWS\Ose.exe
O4 - HKCU\..\Run: [Nap] C:\WINDOWS\System32\Fdn.exe
O4 - HKCU\..\Run: [Hrg] C:\WINDOWS\System32\Mvi.exe
O4 - HKCU\..\Run: [Jpl] C:\WINDOWS\System32\Mmt.exe
O4 - HKCU\..\Run: [Mnd] C:\WINDOWS\System32\Bcl.exe
O4 - HKCU\..\Run: [Cba] C:\WINDOWS\System32\Ggu.exe
O4 - HKCU\..\Run: [Hes] C:\WINDOWS\System32\Mop.exe
O4 - Startup: winupdate24050110[1].exe
O4 - Startup: winupdate57930411[1].exe
O4 - Startup: winupdate64981149[1].exe
O4 - Startup: winupdate71993161[1].exe
O4 - Startup: winupdate90290137[1].exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5EFF8B09-B211-42B7-805E-C4670BF8C830} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Mon Apr 04, 2005 8:43 am    Post subject: Reply with quote
Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

Arrow Can you please snag one of those files you deleted and send them to:
Blender AT Spywarewarrior DOT com

The desktop hijack part of that infection seems to have been tweaked, and we would like to examine it. Thanks.

Arrow Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


O4 - HKLM\..\Run: [Nvt] C:\WINDOWS\system32\Mpp.exe
O4 - HKLM\..\Run: [Hes] C:\WINDOWS\System32\Mop.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Hem] C:\WINDOWS\system32\Ial.exe
O4 - HKCU\..\Run: [Anv] C:\WINDOWS\system32\Jkt.exe
O4 - HKCU\..\Run: [Khi] C:\WINDOWS\Vmq.exe
O4 - HKCU\..\Run: [Hli] C:\WINDOWS\Her.exe
O4 - HKCU\..\Run: [Ktm] C:\WINDOWS\system32\Ubh.exe
O4 - HKCU\..\Run: [Mav] C:\WINDOWS\Trd.exe
O4 - HKCU\..\Run: [Pla] C:\WINDOWS\Vvq.exe
O4 - HKCU\..\Run: [Jio] C:\WINDOWS\Bjg.exe
O4 - HKCU\..\Run: [Dsi] C:\WINDOWS\system32\Bie.exe
O4 - HKCU\..\Run: [Avs] C:\WINDOWS\system32\Emv.exe
O4 - HKCU\..\Run: [Rpj] C:\WINDOWS\Unt.exe
O4 - HKCU\..\Run: [Oku] C:\WINDOWS\Moo.exe
O4 - HKCU\..\Run: [Esb] C:\WINDOWS\system32\Npf.exe
O4 - HKCU\..\Run: [Hro] C:\WINDOWS\Rqn.exe
O4 - HKCU\..\Run: [Pdc] C:\WINDOWS\Qfg.exe
O4 - HKCU\..\Run: [Flc] C:\WINDOWS\Cql.exe
O4 - HKCU\..\Run: [Nmt] C:\WINDOWS\system32\Ghv.exe
O4 - HKCU\..\Run: [Ans] C:\WINDOWS\system32\Tvg.exe
O4 - HKCU\..\Run: [Lvb] C:\WINDOWS\system32\Fpk.exe
O4 - HKCU\..\Run: [Qns] C:\WINDOWS\Uiq.exe
O4 - HKCU\..\Run: [Rjp] C:\WINDOWS\Uop.exe
O4 - HKCU\..\Run: [Lqp] C:\WINDOWS\Vbe.exe
O4 - HKCU\..\Run: [Emf] C:\WINDOWS\Ohs.exe
O4 - HKCU\..\Run: [Nrk] C:\WINDOWS\Vna.exe
O4 - HKCU\..\Run: [Njl] C:\WINDOWS\system32\Nqh.exe
O4 - HKCU\..\Run: [Hea] C:\WINDOWS\Fse.exe
O4 - HKCU\..\Run: [Klu] C:\WINDOWS\Ote.exe
O4 - HKCU\..\Run: [Prn] C:\WINDOWS\system32\Ubn.exe
O4 - HKCU\..\Run: [Qnc] C:\WINDOWS\system32\Bku.exe
O4 - HKCU\..\Run: [Olk] C:\WINDOWS\Tfi.exe
O4 - HKCU\..\Run: [Qmd] C:\WINDOWS\Nuv.exe
O4 - HKCU\..\Run: [Ahg] C:\WINDOWS\system32\Urg.exe
O4 - HKCU\..\Run: [Ctu] C:\WINDOWS\Sau.exe
O4 - HKCU\..\Run: [Vup] C:\WINDOWS\system32\Pct.exe
O4 - HKCU\..\Run: [Cfm] C:\WINDOWS\Tpi.exe
O4 - HKCU\..\Run: [Nli] C:\WINDOWS\Vgv.exe
O4 - HKCU\..\Run: [Fif] C:\WINDOWS\Gjg.exe
O4 - HKCU\..\Run: [Pqq] C:\WINDOWS\system32\Ufr.exe
O4 - HKCU\..\Run: [Jmg] C:\WINDOWS\system32\Eqr.exe
O4 - HKCU\..\Run: [Bmg] C:\WINDOWS\Mgo.exe
O4 - HKCU\..\Run: [Srh] C:\WINDOWS\Ifm.exe
O4 - HKCU\..\Run: [Gca] C:\WINDOWS\system32\Htb.exe
O4 - HKCU\..\Run: [Nol] C:\WINDOWS\system32\Die.exe
O4 - HKCU\..\Run: [Hgf] C:\WINDOWS\system32\Nuv.exe
O4 - HKCU\..\Run: [Pjg] C:\WINDOWS\System32\Jlk.exe
O4 - HKCU\..\Run: [Uen] C:\WINDOWS\System32\Nvh.exe
O4 - HKCU\..\Run: [Pgo] C:\WINDOWS\Qdo.exe
O4 - HKCU\..\Run: [Haq] C:\WINDOWS\Rfu.exe
O4 - HKCU\..\Run: [The] C:\WINDOWS\System32\Mfs.exe
O4 - HKCU\..\Run: [Rin] C:\WINDOWS\Doh.exe
O4 - HKCU\..\Run: [Fka] C:\WINDOWS\System32\Eff.exe
O4 - HKCU\..\Run: [Oec] C:\WINDOWS\Ltb.exe
O4 - HKCU\..\Run: [Ldt] C:\WINDOWS\System32\Kur.exe
O4 - HKCU\..\Run: [Frf] C:\WINDOWS\Rak.exe
O4 - HKCU\..\Run: [Fll] C:\WINDOWS\Srf.exe
O4 - HKCU\..\Run: [Ffh] C:\WINDOWS\System32\Hfd.exe
O4 - HKCU\..\Run: [Dtr] C:\WINDOWS\Imc.exe
O4 - HKCU\..\Run: [Uvn] C:\WINDOWS\Lcs.exe
O4 - HKCU\..\Run: [Gnq] C:\WINDOWS\System32\Hcp.exe
O4 - HKCU\..\Run: [Bgf] C:\WINDOWS\System32\Ddo.exe
O4 - HKCU\..\Run: [Bqq] C:\WINDOWS\Hef.exe
O4 - HKCU\..\Run: [Gfq] C:\WINDOWS\System32\Dtg.exe
O4 - HKCU\..\Run: [Cvj] C:\WINDOWS\System32\Jdr.exe
O4 - HKCU\..\Run: [Ebd] C:\WINDOWS\Bqk.exe
O4 - HKCU\..\Run: [Bku] C:\WINDOWS\Sdr.exe
O4 - HKCU\..\Run: [Rdl] C:\WINDOWS\Jbi.exe
O4 - HKCU\..\Run: [Euo] C:\WINDOWS\Bof.exe
O4 - HKCU\..\Run: [Ulp] C:\WINDOWS\Ibk.exe
O4 - HKCU\..\Run: [Nut] C:\WINDOWS\Aaa.exe
O4 - HKCU\..\Run: [Klo] C:\WINDOWS\Rbs.exe
O4 - HKCU\..\Run: [Vrt] C:\WINDOWS\Naf.exe
O4 - HKCU\..\Run: [Olu] C:\WINDOWS\System32\Qnj.exe
O4 - HKCU\..\Run: [Smh] C:\WINDOWS\Kul.exe
O4 - HKCU\..\Run: [Mln] C:\WINDOWS\Soh.exe
O4 - HKCU\..\Run: [Uml] C:\WINDOWS\System32\Avp.exe
O4 - HKCU\..\Run: [Bdb] C:\WINDOWS\System32\Usm.exe
O4 - HKCU\..\Run: [Ihh] C:\WINDOWS\Mgs.exe
O4 - HKCU\..\Run: [Bpd] C:\WINDOWS\Mau.exe
O4 - HKCU\..\Run: [Aeg] C:\WINDOWS\System32\Bro.exe
O4 - HKCU\..\Run: [Fmf] C:\WINDOWS\Ose.exe
O4 - HKCU\..\Run: [Nap] C:\WINDOWS\System32\Fdn.exe
O4 - HKCU\..\Run: [Hrg] C:\WINDOWS\System32\Mvi.exe
O4 - HKCU\..\Run: [Jpl] C:\WINDOWS\System32\Mmt.exe
O4 - HKCU\..\Run: [Mnd] C:\WINDOWS\System32\Bcl.exe
O4 - HKCU\..\Run: [Cba] C:\WINDOWS\System32\Ggu.exe
O4 - HKCU\..\Run: [Hes] C:\WINDOWS\System32\Mop.exe

O4 - Startup: winupdate24050110[1].exe

O4 - Startup: winupdate57930411[1].exe

O4 - Startup: winupdate64981149[1].exe

O4 - Startup: winupdate71993161[1].exe

O4 - Startup: winupdate90290137[1].exe

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
ALL THE 3 LETTER FILES.
I relaise you did this once, but if you miss one, you get reinfected.

winupdate24050110[1].exe <<<--file
winupdate57930411[1].exe <<<--file
winupdate64981149[1].exe <<<--file
winupdate71993161[1].exe <<<--file
winupdate90290137[1].exe <<<--file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log please.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Mon Apr 04, 2005 3:03 pm    Post subject: Reply with quote
I really appreciate this.

I did all the steps you asked. I tried to send blender 1 of the exe files and 1 of the html files. It looks like Outlook blocked the exe file. Do I need to zip the file or something to get it past Outlook?

When I rebooted in Safe Mode, all the files were gone except the winupdate ones.

Still can't right click on the desktop or in Windows explorer and still can't take back my desktop.

Here is the lastest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:56:38 PM, on 4/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5EFF8B09-B211-42B7-805E-C4670BF8C830} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Mon Apr 04, 2005 5:19 pm    Post subject: Reply with quote
Try this for the desktop. It worked on a couple of others. Some one said this might work its supposed to replace the dektop and fix what the hijacker did

http://forums.net-integration.net/index.php?act=Attach&type=post&id=139544

download it and double click on it and aloow it to merge with the registry

also do a search for this file and delete it if you find it

desktop.html

I'll get back to you on the log later, but I wanted to get this fix to you.

And yes, zip that file up to get it thru Outlook.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Mon Apr 04, 2005 10:40 pm    Post subject: Reply with quote
I downloaded that program and ran it. I also found and deleted the desktop.html file which was in C:\Windows. I now have control over my desktop and can right click again.

I zipped that file and forwarded it to blender.

I haven't had a popup for awhile and IE hasn't done anything funny like changing my home page or default search engine.

I ran Spybot, AdAware, and MS Antispyware, all clean. Ran NAV and I'm still showing 4 possible adware threats called Adware:Iefeats that NAV won't remove. The removal tool on Symantec's website says there are no Adware:Iefeats files. Should I just tell NAV to ignore these files in future scans or should I manually remove them?

Everything seems to be back to normal except when I reboot, it usually takes 2-3 times. I'm getting a blue screen, "PAGE_FAULT_IN_NONPAGED_AREA". Not sure if it's related, but it didn't start until my spyware problems started.

Should I upgrade to SP2 now?

Thanks for all your help, I think we've just about got it licked.
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Mon Apr 04, 2005 11:05 pm    Post subject: Reply with quote
OK, good work on the file sent to Blender, she will be estatic!! LOL

And I am glad the desktop worked too, I have about 4 others who are also trying it.

For the stuff that Norton is finding, please give me the file paths for it, so we can see where it is.

I would not upate to XP 2 just yet, if at all. Lets get alll the little bugs worked out first.

Your error comes up as a possible USB problem. Unfortunately, I am not sure I could narrow it down. I need a lot more inf. Here is the link I got when I Googled:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2003-52,GGLD:en&q=PAGE%5FFAULT%5FIN%5FNONPAGED%5FAREA+%2B+blue+screen

You may have to try to figure that one out for yourself, sorry.

Let me know about the Norton findings.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Tue Apr 05, 2005 7:27 am    Post subject: Reply with quote
Thanks. One thing I discovered, I had to run that registry program signed on to all 3 users on this machine to get the desktop back on each. Not sure if you're supposed to have to do that, but I did.

The file paths are:
C:\Windows\winyd.exe and xozyk.dll
C:\Windows\System32\javazf.exe and sysha32.exe

I updated my graphics card driver and haven't got a blue screen on the last couple reboots.

Thanks again for everything.
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Tue Apr 05, 2005 7:47 am    Post subject: Reply with quote
Those files are all baddies, if you can, delete them manually.

I would also recommend a couple of online av scans too:

Head over to either Trend Micro or Panda ActiveScan and do an online, free, full system scan. Be sure and have the 'Auto Clean' button checked.
Trend Micro
Panda ActiveScan
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
blender
Site Admin


Joined: 19 Jan 2004
Last Visit: 03 Mar 2011
Posts: 10886
Location: Ontario
PostPosted: Tue Apr 05, 2005 12:30 pm    Post subject: Reply with quote
Si02MAN

Hi; TeMerc gave you the wrong address for email. Possibly you still have that file in your 'sent items folder"...If you dont...that's ok...there is enough of this infection running around I should be able to find it.
If you want to attempt send again...my addy:

blendersww (AT) spywarewarrior (dot) com

thanks! Smile

Not butting in...carry on guys. Smile
_________________
Never give up!
Former Microsoft MVP Windows-Security 2005-2009

If we have helped you please consider a donation Thank You
Back to top
View user's profile Send private message Send e-mail
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Tue Apr 05, 2005 9:33 pm    Post subject: Reply with quote
I deleted those Adware:Iefeats files manually and ran the Trend Micro and Panda scans. And in case Blender doesn't catch this, please let her know that I've deleted all those files and my sent and deleted items folders in Outlook. Sorry. Doesn't look like there's any shortage of these files out there. Sad

The first time around Trend Micro found a bunch of files, some of which it cleaned, others it let me delete. There was a handful of files with similar file paths that it wouldn't let me delete because it said they were currently in use.

Then I ran the Panda scan and noticed that it had disinfected all but 1 of the files with similar file paths to the files Trend Micro wouldn't let me delete. I ran Trend Micro again and the only file that turned up was the one that Panda didn't disinfect. Makes sense I guess, Panda worked. The 1 file that still remains of that group is:

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-762d722b-3b515221.class

You'll see this file and the other files with similar file paths at the top of the log from the Panda scan below. There were some other files in the Panda scan that were not disinfected too. Here is the log from the Panda scan:

Incident Status Location

Adware:Adware/CWS No disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-762d722b-3b515221.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-13e49ae9-7eb1b332.RB0[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-586bddde-3389beb1.RB0[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3f83cedc-50c06066.RB0[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loader.jar-7ea0a617-6290a4b8.RB0[Dummy.class]
Virus:Trj/Shinwow.C Disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loader.jar-7ea0a617-6290a4b8.RB0[Matrix.class]
Virus:Trj/Shinwow.C Disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loader.jar-7ea0a617-6290a4b8.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv78.jar-17437693-1734fb87.zip[Dummy.class]
Virus:Trj/Shinwow.E Disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv78.jar-17437693-1734fb87.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv89.jar-190666b1-5f1cf94c.zip[Dummy.class]
Virus:Trj/Shinwow.E Disinfected C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv89.jar-190666b1-5f1cf94c.zip[Matrix.class]
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\a.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\b.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\ba.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bb.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\be.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\bf.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bg.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\bh.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\bk.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bm.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bn.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\bo.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\bp.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\br.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bs.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bt.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bu.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bv.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bw.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bx.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\by.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\bz.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\c.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\ca.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cb.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\ce.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cf.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\ch.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\ck.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cl.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cn.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cp.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\cq.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\cr.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cs.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\ct.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cu.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cv.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\cx.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\cz.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\d.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\da.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\db.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\dc.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\dd.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\de.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\df.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\di.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\dl.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\dn.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\dp.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\dr.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\ds.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\dt.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\du.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\dv.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\dw.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\dy.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\dz.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\ed.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\f.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\h.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\i.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\j.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\l.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\m.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\n.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\p.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\q.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\r.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\s.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\t.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\u.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\w.class
Adware:Adware/TopMoxie No disinfected C:\Program Files\UpromiseRemindU\System\Code\x.class
Adware:Adware/MoeMoney No disinfected C:\Program Files\UpromiseRemindU\System\Code\y.class
Virus:Bck/Haxdoor.BC Disinfected C:\WINDOWS\SYSTEM32\drct16.dll
Adware:Adware/BHO No disinfected C:\WINDOWS\SYSTEM32\dsmanager.dll
Adware:Adware/FunWeb No disinfected C:\WINDOWS\SYSTEM32\f3pssavr.scr
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Tue Apr 05, 2005 10:43 pm    Post subject: Reply with quote
OK, lets try and remove some of the baddies.

Arrow Please go to Add/Remove, and if found, uninstall the following:
upromiseremindu

Then, search for and delete the folowing files\folders:
C:\WINDOWS\SYSTEM32\drct16.dll <<<--file
C:\WINDOWS\SYSTEM32\dsmanager.dll <<<--file
C:\WINDOWS\SYSTEM32\f3pssavr.scr<<<--file
C:\Program Files\UpromiseRemindU<<<<---folder

Also, just in case run this tool:
  • First, download HSFix from here

  • After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

  • Reboot into 'Safe Mode'.

  • Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"

  • A log will be produced which you can find at C:/hslog.txt, post it please

_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Wed Apr 06, 2005 6:33 pm    Post subject: Reply with quote
Here's where we are:

*Couldn't remove upromiseremindu using Add/Remove Programs. It's there, but when I click on it I get a window titled "Java Virtual Machine Launcher" with the message "Could not find the main class. Program will exit."

*I removed the 4 files/folders.

*Ran HSFix in Safe Mode. Here's the log:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
WINLOW
[SC] DeleteService SUCCESS
vdmt16
[SC] DeleteService SUCCESS
-
3. Finding files Located on system
-
p2.ini
vdmt16.sys
winlow.sys
drct16.dll
cz.dll
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

I tried Add/Remove Programs for upromiseremindu in Safe Mode too and got the same message.

In case I haven't told you in awhile, thanks.
Back to top
View user's profile Send private message
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Wed Apr 06, 2005 6:52 pm    Post subject: Reply with quote
One more thing please. I have desktop.ini files all over the place, including on my desktop. Most of these appear "lightly shaded".
But when I do a search for desktop.ini, only 3 files and 1 folder turn up. One of the files is in the Windows folder, another in the System32 folder, another at C:\Program Files\Microsoft Office\OFFICE11\1033\DataServices, and the folder, which has 2 files in it, file type "file", named 122_5228a39de_ and 62_57a5f56b7_, is at C:\Program Files\support.com\backup\De.

This wasn't on my desktop before this started.
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Wed Apr 06, 2005 7:03 pm    Post subject: Reply with quote
OK, the Java error is obviously, related to Java, but I have not found anything that addresses it specifically in Add\Remove. Had you ever gotten this error before?

The files on your desktop are there due to the fact that we changed to ' show all files & folders', you can change that back, but please wait until we are finished.

Please run the HSfix tool in safe mode please. Post that log, with one last HJT log.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Wed Apr 06, 2005 7:28 pm    Post subject: Reply with quote
No, I don't recall ever seeing that error before.

HSFix log:

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

HJT log:
HLogfile of HijackThis v1.99.1
Scan saved at 11:21:54 PM, on 4/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5EFF8B09-B211-42B7-805E-C4670BF8C830} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Wed Apr 06, 2005 9:37 pm    Post subject: Reply with quote
OK, everything looks good. All clear.

I should have asked you this, but did you try to remove tat app in 'safe mode'? f not, give it a try, and see what happens.

If that also fails, try this app:
ADRMPRO2

I will try and do some more searching about the error.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Wed Apr 06, 2005 10:51 pm    Post subject: Reply with quote
Yea, I tried removing it in Safe Mode too.

I tried the app you linked to, I get the exact same error.

I'm not sure what this means, but Trend Micro and Panda Scan each report this 1 file as infected but neither will disinfect it. Trend Micro allows you to delete files but if I try to for this file it won't let me, says it's in use. The file is:

C:\Documents and Settings\Robert\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Counter.class-762d722b-3b515221.class

Other than that everything seems clean.

Thanks.
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Thu Apr 07, 2005 3:45 pm    Post subject: Reply with quote
OK I did a bit of looking around about the UpromiseRemindU app, its realted to eBates. Here is the page I got when I Googled it, your going to have to go thru and find the best solution for removal, proabaly manually.

http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLD,GGLD:2003-52,GGLD:en&q=UpromiseRemindU+removal

I am still looking into the other file, I don't have Sun installed on my 2 systems, one XP Home, one XP Pro Corp.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
Mosaic1
SWW Distinguished Expert


Joined: 29 Jun 2004
Last Visit: 11 Aug 2011
Posts: 2174
PostPosted: Thu Apr 07, 2005 5:35 pm    Post subject: Reply with quote
Class file is in your java cache.

Go into control panel And double click yor java plugin icon.

Click the cache tab and then click on the Clean JAR Cache Button.

If that doesn't work, try it in safe mode.
Back to top
View user's profile Send private message
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Thu Apr 07, 2005 8:18 pm    Post subject: Reply with quote
Mosaic, thanks a lot, that did it, cleared the whole folder, and of course, when I scanned with Trend Micro and Panda, all clean.

TeMerc, I scanned with Spybot, Ad-Aware, MS Antispyware, NAV, Trend Micro, and Panda, all clean, and the blue screens have stopped, not sure why. The only things left are the that annoying UpromiseRemindU and some "perflib_perfdata" file in my temp folder that I can't delete. I'll google them and see what I come up with. Let me know if you want to take one final look at a HJT log, otherwise, thanks for everything.
Back to top
View user's profile Send private message
Mosaic1
SWW Distinguished Expert


Joined: 29 Jun 2004
Last Visit: 11 Aug 2011
Posts: 2174
PostPosted: Thu Apr 07, 2005 8:26 pm    Post subject: Reply with quote
You're welcome.

perflib_perfdata is normal. It is in use. It will be deleted when windows shuts down most likely.

You can use hijackthis to get rid of the entry to the useless uninstaller in your add remove programs.

Run Hijackthis.
Press the config button.
Click misc Tools

Click the Open Uninstall Manager Button

Find the entry, highlight it and click the Delete this Entry button.


Then you will need to find the folder with the leftover files for that nasty and delete it.
Back to top
View user's profile Send private message
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Fri Apr 08, 2005 3:42 pm    Post subject: Reply with quote
Thanks, I was able to get rid of that uninstaller and just manually deleted everything I could find related to UpromiseRemindU. It must've worked because before I did there was an entry in the System Configuration Utility (msconfig) related to it under Startup, and after I rebooted it was gone. I also uninstalled the Java program, not sure why I ever installed it. Also manually removed all the Sun/Java folders.

I do have a couple of questions and a comment about HijackThis.

1. TeMerc recommended not installing SP2 until the system was clean but added "if at all". Should I update?

2. Panda is finding 2 adware infected files that it doesn't disinfect, both of the type Adware/SearchAid. They are:

C:\WINDOWS\javady32.dll
C:\WINDOWS\SYSTEM32\javapf32.dll

I take it that Panda doesn't disinfect all files unless you're using a purchased version? Is some of this adware just unavoidable and harmless? I'm paranoid now. Very Happy

And finally, I decided to run HJT signed on as the other 2 users on this machine. Even though I had manually removed all the Xxx.exe files in the Windows and System32 folders and checked them off to fix in HJT, there were about 12 files that needed checked off for fixing for each of the other 2 users.

Thanks again.
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Fri Apr 08, 2005 7:20 pm    Post subject: Reply with quote
Thanks for dropping in Mo, appreciate you helping out.

Quote:
1. TeMerc recommended not installing SP2 until the system was clean but added "if at all". Should I update?

This is a subject that has varying opinons.

There were and still are a fair amount of people who have lots of troubles with XP SP2, from the actual DLs to all sorts of peripheral problems. The upgrade is primarily one of security intents. It is my opinon, if your secure enough and diligent about surfing habits, its not needed. By secure enough, I mean having all the apps I recommend installed and properly updated regularly.

Beyond that, the decision is yours

Quote:
2. Panda is finding 2 adware infected files that it doesn't disinfect, both of the type Adware/SearchAid. They are:

C:\WINDOWS\javady32.dll
C:\WINDOWS\SYSTEM32\javapf32.dll

Track these down and delete them, both are bad files.

Quote:
I take it that Panda doesn't disinfect all files unless you're using a purchased version? Is some of this adware just unavoidable and harmless?

You need to realise that Panda is an av scanner, not a malware scanner in the senses of Adaware and Spybot. It wil not remove many malwares it finds, but, its great that they find them!!

Quote:
And finally, I decided to run HJT signed on as the other 2 users on this machine. Even though I had manually removed all the Xxx.exe files in the Windows and System32 folders and checked them off to fix in HJT, there were about 12 files that needed checked off for fixing for each of the other 2 users.

This is normal to find, typically, the other users will be lesser infected than the original infectee. I would suggest you post logs for each user, to be sure your all clean. Please post one log at a time tho.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Sat Apr 09, 2005 1:12 am    Post subject: Reply with quote
Here's the HJT log for 1 user:

Logfile of HijackThis v1.99.1
Scan saved at 5:08:23 AM, on 4/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Intel\NCS\Sync\NetSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.hshsl.umaryland.edu/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID {DA9935BA-22F7-44ee-BD12-BD8B87700BEA}
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5EFF8B09-B211-42B7-805E-C4670BF8C830} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Sat Apr 09, 2005 8:16 am    Post subject: Reply with quote
That last users log is clear, next user please.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Sat Apr 09, 2005 10:33 am    Post subject: Reply with quote
And the last one:

Logfile of HijackThis v1.99.1
Scan saved at 2:30:20 PM, on 4/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://disney.go.com/home/today/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.drudgereport.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5EFF8B09-B211-42B7-805E-C4670BF8C830} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Sat Apr 09, 2005 11:00 am    Post subject: Reply with quote
All clear there too, looks like we're done!!!
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
SiO2MAN
Junior Member


Joined: 02 Apr 2005
Last Visit: 10 Apr 2005
Posts: 16
PostPosted: Sat Apr 09, 2005 4:48 pm    Post subject: Reply with quote
Thanks for everything, I've learned more than I ever wanted to. Very Happy
Back to top
View user's profile Send private message
TeMerc
Warrior Obsessed


Joined: 12 Feb 2004
Last Visit: 23 Dec 2009
Posts: 4953
Location: Phx. AZ.
PostPosted: Sat Apr 09, 2005 9:30 pm    Post subject: Reply with quote
Very good, at the very least, now you can be mores ecure in your surfing and share your experiences with friends and family, everyone needs to know about staying safe, once your setup, keeping things current and updated is easy.

We have 3 more things to do, to help ensure you have removed all the little 'leftovers' which may be hiding:

Empty the TIF (Temporary Internet Files)
Delete all the files in (and any subfolders of) the C:\Windows\Temp folder
The app below will help with temp files.
Index.dat Suite

Also, delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion.

Here is a link which describes how security apps work with WIN XP machines.
XP User Accts Security Apps Operation

To further prevent the installation of ad/mal/spyware, DL these two apps, which are becoming the next one-two punch in the fight against ad/mal/spyware with AdAware & Spybot S&D:

Spyware Guard & Spyware Blaster
With Spyware Blaster and Spyware Guard, just DL, check for updates, enable protection, and your done!

To avoid known malware infested sites from loading in IE install IESPY ADS.
And MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

And to prevent unknown applications from being installed on your machine inistall WinPatrol.

Tutorials for all the apps I mentioned can be found on my site as well.

Confused about which apps are good or not? Read about Rogue/Approved Anti Security apps

And just because you have security apps installed, they are useless unless updated regularly. Keep track of updates for ALL your security needs here:
Calendar of Updates

Subscribe to update alerts for all the above security apps here.

Happy surfing!!
Tom Very Happy

If you found our help here worthwhile, and want to further the cause for others, and keep this site running Donate Here.
_________________

Ultimate Countermeasures Page
Calendar Of Updates
Malware Advisor Blog
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Spyware Warrior Forum Index -> Archived Spyware Removal Help Topics All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group