WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hi Jacked Desktop, Please Help!

Started by jreid25 , Feb 07 2006 09:34 AM

This topic is locked

18 replies to this topic

#1 jreid25

Authentic Member

Authentic Member
38 posts

Posted 07 February 2006 - 09:34 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:33:25 AM, on 2/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\1137094279\ee\AOLSoftware.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paulette Morman\Desktop\New Briefcase\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137094279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Willow Road Screen Saver.lnk = C:\Program Files\WillowRD\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://texassecurity...ols/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {79A91598-C20E-4097-BA2F-7C2EA74FE3BA} (RRFileManager.classMain) - http://www.reliabler...FileManager.CAB
O16 - DPF: {B8A6A934-59A7-4F0F-AD42-FFDD9A9D5059} (FilePoster.clsPoster) - http://www.reliabler.../FilePoster.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Advertisements

Register to Remove

#2 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 07 February 2006 - 12:54 PM

Hello and Welcome to TomCoyote,

I would like you to run some scans and post the results. Let’s do some cleaning first.

STEP 1.
======
Let’s check for Malware/Spyware on your computer which is best dealt with by spyware-removal programs used one after the other.
Spybot: Search and Destroy:

Download 'Spybot: Search And Destroy'.
Install it according to the instructions in 'How To Setup Spybot SD and Ad-Aware SE'.
Next, 'Search for Updates' as the definitions are not likely to be up-to-date.
Close ALL windows except Spybot SD
Click the "Check for Problems" button
Click 'Fix Selected Problems' and fix only the RED items.
REBOOT to finish removing what Spybot SD found and clear memory

Ad-Aware SE by Lavasoft:

Download 'Ad-Aware SE'.
Install according to the instructions in "How To Setup Spybot SD and Ad-Aware SE"
Next, 'Check for Updates' by clicking on the 'world globe' second from the right at the top of your Ad-Aware SE window.
Install the updates.
Close ALL windows except Ad-Aware SE
Click on 'Start' and choose 'full scan' for a full scan.
Quarantine anything that it finds and SAVE the log file.
REBOOT to finish removing what Ad-Aware SE found and clear memory.

Please let me know if anything can not be cleaned by these utilities.

STEP 2.
======

Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Scan again with HijackThis

Please POST

a New HijackThis log
the results from the Ewido log

in this thread using 'Add Reply'.

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 jreid25

Authentic Member

Authentic Member
38 posts

Posted 07 February 2006 - 03:57 PM

Here is the ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:38:21 PM, 2/7/2006
+ Report-Checksum: 11F54C

+ Scan result:

C:\Documents and Settings\Paulette Morman\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-1540eca1-24dc94fa.class -> Downloader.OpenStream.y : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@cz3.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@cz4.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@cz5.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@cz9.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@e-2dj6wjkokoc5cfo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@e-2dj6wjkyuhc5mkp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@e-2dj6wjl4qmdzwcp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@e-2dj6wjlykpdpcco.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@e-2dj6wjny-1iazkg.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@vip.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@vip2.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Program Files\WebEx\ieatgpc.dll -> Adware.WebEx : Cleaned with backup
C:\Program Files\WebEx\ieatgpc.tmp/ieatgpc.dll -> Adware.WebEx : Error during cleaning
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP889\A0034946.exe -> Not-A-Virus.Hoax.Win32.Renos.au : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP890\A0034999.EXE -> Not-A-Virus.Hoax.Win32.Renos.au : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP902\A0035159.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP902\A0035184.exe -> Not-A-Virus.Hoax.Win32.Renos.au : Cleaned with backup
C:\WINDOWS\SYSTEM32\intell321.exe -> Trojan.Small.ev : Cleaned with backup
C:\WINDOWS\uninstDsk.exe -> Trojan.Small.ev : Cleaned with backup

::Report End

Here is the HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:39:17 PM, on 2/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\1137094279\ee\AOLSoftware.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paulette Morman\Desktop\New Briefcase\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137094279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Willow Road Screen Saver.lnk = C:\Program Files\WillowRD\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://texassecurity...ols/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {79A91598-C20E-4097-BA2F-7C2EA74FE3BA} (RRFileManager.classMain) - http://www.reliabler...FileManager.CAB
O16 - DPF: {B8A6A934-59A7-4F0F-AD42-FFDD9A9D5059} (FilePoster.clsPoster) - http://www.reliabler.../FilePoster.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks,

#4 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 07 February 2006 - 07:28 PM

Hello jreid25,

Good work! Your hijackthis log looks good but want to take care of one file.

Download Pocket Killbox

Reboot into Safemode
(tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').

Open Pocket Killbox
Copy and paste this entire path into Full Path of File to Delete

C:\Program Files\WebEx\ieatgpc.tmp/ieatgpc.dll

Set it to Delete on Reboot
Tick the box that says End Explorer shell while killing file
Click on the Red circle with the white X
It will ask you to confirm the deletion Say yes
It will ask you to reboot, say Yes

Please run ewido again and post the results--let’s make sure it was deleted.

#5 little eagle

spyware hawk

Visiting Fellow
8,968 posts

Interests:spyware

Posted 09 February 2006 - 10:56 AM

Starting more than one topic slows us all down.
As you have more than one helper working on your logs.
http://forums.tomcoy...topic=57522&hl=
:angry:

My Website
ATF Cleaner for removing temporary files
HijackThis download
Donations to this site

#6 jreid25

Authentic Member

Authentic Member
38 posts

Posted 09 February 2006 - 03:22 PM

When I tried to delete the file with killbox the it never asked me to confirm the deletion it just ask me if I was ready to reboot I said yes and then it counted down backwards from 10 to the reboot, but instead of rebooting a dialog box popped up that said: "PendingFileRenameOperations Registry data has been removed by external process!" Then I went ahead and ran ewido again here is the log: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 3:17:07 PM, 2/9/2006 + Report-Checksum: 82D891E3 + Scan result: C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup C:\Program Files\WebEx\ieatgpc.tmp/ieatgpc.dll -> Adware.WebEx : Error during cleaning C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP907\A0035422.dll -> Adware.WebEx : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP907\A0035423.EXE -> Trojan.Small.ev : Cleaned with backup C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP907\A0035424.EXE -> Trojan.Small.ev : Cleaned with backup ::Report End

#7 jreid25

Authentic Member

Authentic Member
38 posts

Posted 09 February 2006 - 03:50 PM

C:\Program Files\WebEx\ieatgpc.tmp/ieatgpc.dll -> Adware.WebEx : Error during cleaning I think that when ewido tried to clean this it came up it said that it was embedded in an archive and it asked me if I wanted to delete the entire archive and I said no.

#8 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 09 February 2006 - 04:19 PM

Hello jreid25,

Can you delete the file by navigating to it and deleting folder?

You may want to use Windows Explorer to navigate to the folder and delete it
C:\Program Files\WebEx\ieatgpc.tmp<==folder
If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.

Did that work?

#9 jreid25

Authentic Member

Authentic Member
38 posts

Posted 09 February 2006 - 04:54 PM

I went to the folder and deleted the ieatgpc.dll, my desktop stillhas the hijacker on it. when I right click on what is now my desktop it gave me the choice "View Source" so I clicked on it and there was a bunch of .html code. I deleted all of the code and now my desktop is just white.

#10 jreid25

Authentic Member

Authentic Member
38 posts

Posted 09 February 2006 - 04:59 PM

Also the When I click on "View Source" the code was written in a notepad document. The document is still there, it is just blank now because I deleted all of the code. The name of the document is "warnhp". it is in C:\Windows. Should I delete the document completely? I think that might bring my desktop back, but I wanted to check with you first.

Advertisements

Register to Remove

#11 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 09 February 2006 - 08:19 PM

Navigate to C:\Windows\warnhp.html and delete it.

Navigate to C:\Windows\Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer and quit any instances of Windows Explorer.
Click Start, click Control Panel, and then double-click Internet Options.
On the General tab, click Delete Files under Temporary Internet Files.
In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
Click OK.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see an checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 2.
======
Panda Active Scan
Please go to Panda ActiveScan.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button

Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, by using Add Reply. Let me know if problems still exist.

#12 jreid25

Authentic Member

Authentic Member
38 posts

Posted 10 February 2006 - 12:00 PM

The problem is still here.

Here is the hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:52 AM, on 2/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\1137094279\ee\AOLSoftware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paulette Morman\Desktop\New Briefcase\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137094279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Willow Road Screen Saver.lnk = C:\Program Files\WillowRD\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://texassecurity...ols/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {79A91598-C20E-4097-BA2F-7C2EA74FE3BA} (RRFileManager.classMain) - http://www.reliabler...FileManager.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8A6A934-59A7-4F0F-AD42-FFDD9A9D5059} (FilePoster.clsPoster) - http://www.reliabler.../FilePoster.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Here is the panda virus scan log:

Incident Status Location

Potentially unwanted tool:application/alfacleaner Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\hesvc.sys
Spyware:spyware/smitfraud Not disinfected C:\WINDOWS\SYSTEM32\oleext.dll

#13 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 10 February 2006 - 02:16 PM

Hello jreid25,

I thought maybe it was smitfraud and Panda gave the clue here:
Spyware:spyware/smitfraud Not disinfected C:\WINDOWS\SYSTEM32\oleext.dll

You have the Smitfraud infection. You need to do all the steps in the order even though you have run some of the applications before.

Smitfraud Fix

Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Skip this since you allready have downloaded it.
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Be sure that ewido is updated though.
Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Now scan with HJT and place a checkmark next to each of the following items and click FIX CHECKED:
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Close HiJackThis.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
When the scan is finished, click the Save report button at the bottom of the screen.
Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

You need to do Panda scan again.
Reboot back into Windows and click the Panda ActiveScan shortcut.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button

Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt the Ewido Log by using Add Reply.
Let us know if any problems persist.

#14 jreid25

Authentic Member

Authentic Member
38 posts

Posted 13 February 2006 - 09:40 AM

In your previous instructions after I ran ewido you said to "go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present."
"Security Info" was not present, but there was a box that was checked that said "desktop Uninstall"

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:23 AM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\1137094279\ee\aolsoftware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Paulette Morman\Desktop\New Briefcase\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1137094279\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Willow Road Screen Saver.lnk = C:\Program Files\WillowRD\WillowRd.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://texassecurity...ols/ScriptX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {79A91598-C20E-4097-BA2F-7C2EA74FE3BA} (RRFileManager.classMain) - http://www.reliabler...FileManager.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B8A6A934-59A7-4F0F-AD42-FFDD9A9D5059} (FilePoster.clsPoster) - http://www.reliabler.../FilePoster.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS1\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O17 - HKLM\System\CS2\Services\Tcpip\..\{37C80908-8590-4AA1-AEC4-ACF776224053}: NameServer = 24.116.0.201,24.116.0.202
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Here is ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:39:57 PM, 2/10/2006
+ Report-Checksum: 278850F1

+ Scan result:

C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup

::Report End

Here is the Smitrem log:

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 02/10/2006
The current time is: 16:08:53.79

Running from
C:\Documents and Settings\Paulette Morman\Desktop\New Folder\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

checking for WinHound.com key

WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

oleext.dll
logfiles

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 752 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

Here is panda scan:

Incident Status Location

Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Paulette Morman\Cookies\paulette morman@2o7[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Paulette Morman\Desktop\New Folder\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Paulette Morman\Desktop\smitRem.exe[Process.exe]
Potentially unwanted tool:application/alfacleaner Not disinfected C:\WINDOWS\SYSTEM32\DRIVERS\hesvc.sys

#15 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 13 February 2006 - 01:38 PM

Let’s delete that one file.

Show Hidden Files
Please show all files for your system.
You will need to reverse this process when all steps are done.

Delete Files and Folders
Please delete the following files/folders:
C:\WINDOWS\SYSTEM32\DRIVERS\hesvc.sys
If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.

Run Panda and let’s make sure that the file is gone. How is your computer running now?

Body Background

skin color theme