1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

several adware problems over my head...

Discussion in 'Malware and Virus Removal Archive' started by SPYE, 2005/06/01.

Thread Status:
Not open for further replies.
  1. 2005/06/01
    SPYE

    SPYE Inactive Thread Starter

    Joined:
    2005/06/01
    Messages:
    5
    Likes Received:
    0
    This is my first post here so if I mess up please be gentle...

    Currently have several adware/spyware programs. They find problems and fix them but after a couple of hours the problems are right back...
    spybot 1.4
    adaware 1.06r1
    microsoft antispyware beta1 1.0.509

    some of the problems...
    abetterinternet
    aurora
    partypoker shortcuts
    shop at home select
    search asistant

    the main problem is this is an networked computer and they appear to "migrating" across the network? is this possible?

    Here is the hijack this log from the computer that I believe is "mostly" at fault. Thanks in advance for any asistance you may be able to give as I am over my head in solving this problem.

    Logfile of HijackThis v1.99.1
    Scan saved at 6:01:40 PM, on 6/1/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    c:\windows\system32\ehyvss.exe
    C:\WINDOWS\System32\WISPTIS.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\REGEDIT.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\ANTISPYWARE\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = SERVER:8080
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} - C:\WINDOWS\System32\WinStat11.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
    O4 - HKLM\..\Run: [whiunyt] C:\WINDOWS\System32\whiunyt.exe
    O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O17 - HKLM\Software\..\Telephony: DomainName = andersontrussco.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
    Last edited: 2005/06/01
    SPYE,
    #1
  2. 2005/06/01
    rstones12

    rstones12 Inactive

    Joined:
    2005/06/01
    Messages:
    15
    Likes Received:
    0
    SPYE,
    Welcome to the WindowsBBS Forum, I will be reviewing your HJT log.

    Please read "ALL" of the instructions before proceeding:
    You may want to print out these instructions for a reference.

    First Download CWShredder
    And save it to your desktop.
    Close all open browser windows and any other open windows.

    Install CWShredder, then:

    Open CWS and click Check for Updates
    Then click "FIX "
    Once it has completed exit the program.

    Download CleanUp
    Install the program, dont run it yet, we will later.

    Please download the trial version of Ewido Security Suite here:
    http://www.ewido.net/en/download/

    Please read Ewido Setup Instructions
    Install it, and update the definitions to the newest files. Do NOT run a scan yet.

    Please download Nailfix from here:
    Nailfix.zip
    Unzip it to the desktop but please do NOT run it yet.

    Next, please reboot your computer in SafeMode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.
    For additional help in booting into Safe Mode, see the following site:
    SafeMode Help
    Once in SafeMode, please double-click on Nailfix.cmd.
    Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

    Then please run Ewido, and run a full scan. Save the logfile from the scan.

    Now scan with HijackThis and place a checkmark next to the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)

    O2 - BHO: WinStat - {F007E221-018D-4baf-924A-B0E9092F3853} - C:\WINDOWS\System32\WinStat11.dll

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

    Close all open windows except for HijackThis and click Fix Checked

    Now using Windows Explorer find and remove the following:
    C:\WINDOWS\System32\WinStat11.dll <-- File

    Start CleanUp
    When CleanUp starts go to the Options button (right side of CleanUp screen)
    Uncheck cookies
    This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea.
    Click OK
    Then click on the CleanUp button. This will take a short while, let it do its thing.
    When asked to reboot system select No
    Close CleanUp

    Restart your computer in normal mode and please post a new HJT Log, as well as the Text Log from the Ewido scan by using Add Reply

    Thanks,
    rstones12
     
    rstones12,
    #2


  3. to hide this advert.

  4. 2005/06/01
    noahdfear

    noahdfear Inactive

    Joined:
    2003/04/06
    Messages:
    12,178
    Likes Received:
    15
    Hello SPYE, and welcome to WindowsBBS (again) :)

    Just wanted to let you know that I know rstones12 and trust his analysis of your log and the proposed fix. ;)


    rstones12,

    Your presence here at WindowsBBS is welcomed and appreciated! :D
     
    noahdfear,
    #3
  5. 2005/06/01
    rstones12

    rstones12 Inactive

    Joined:
    2005/06/01
    Messages:
    15
    Likes Received:
    0
    Thanks and glad to be onboard...... :) :D
     
    rstones12,
    #4
  6. 2005/06/02
    SPYE

    SPYE Inactive Thread Starter

    Joined:
    2005/06/01
    Messages:
    5
    Likes Received:
    0
    here goes...

    had a few issues but i don't know how it will effect the results...
    ewido initially would not run in safemode (siad lang.dll was not installed) so i ran the setup again and it would fire but it would not let me update because I booted w/o network resources.

    Also only two of these R1- entries were present while in safe mode
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank


    the R1-....searchURL default was not in there
    R3-...Surf sidekick was also missing.

    Unfortunately it appears there is more work to do because they are still in my regular boot scan below.

    Thanks for the help...


    Logfile of HijackThis v1.99.1
    Scan saved at 10:29:37 AM, on 6/2/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\userinit.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\ANTISPYWARE\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = SERVER:8080
    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O2 - BHO: (no name) - {F007E221-018D-4baf-924A-B0E9092F3853} - (no file)
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
    O4 - HKLM\..\Run: [whiunyt] C:\WINDOWS\System32\whiunyt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O17 - HKLM\Software\..\Telephony: DomainName = andersontrussco.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 10:11:35 AM, 6/2/2005
    + Report-Checksum: B6CDE0B4

    + Date of database: 6/2/2005
    + Version of scan engine: v3.0

    + Duration: 31 min
    + Scanned Files: 64222
    + Speed: 33.93 Files/Second
    + Infected files: 75
    + Removed files: 75
    + Files put in quarantine: 75
    + Files that could not be opened: 0
    + Files that could not be cleaned: 0

    + Binder: Yes
    + Crypter: Yes
    + Archives: Yes

    + Scanned items:
    C:\

    + Scan result:
    C:\Documents and Settings\Doug\Cookies\doug@23298139[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@a.websponsors[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@ad.krutilka[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@ads.as4x.tmcs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@ads.guardian.co[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@ads.mm.ap[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@ads.specificclick[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@ads.telegraph.co[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@ads.thestar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@ads.vnuemedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@ads4.clearchannel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@ads49.bpath[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@adsremote.scripps[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@a[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@bannerspace[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@bcentral[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@beta.search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@burstnet[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@campaigns.f2.com[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@cookie.monster[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@geocities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@hits.411web[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@image.masterstats[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@indiads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@krd.realcities[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@mediamgr.ugo[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@myway[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@search.msn[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@specificpop[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@spms.bpath[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@visit.theglobeandmail[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@www.myaffiliateprogram[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\Doug\Cookies\doug@www.razorgator[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@75401068[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@a.websponsors[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@adknowledge[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@ads.as4x.tmcs[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@adsremote.scripps[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@a[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@com[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@html[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@images.indiads[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@indiads[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@myway[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@p[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@realguide.real[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@search.msn[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@visit.theglobeandmail[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@www.burstnet[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@www.myaffiliateprogram[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Cookies\dtipton@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Local Settings\Temp\Cookies\dtipton@adopt.hotbar[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
    C:\Documents and Settings\dtipton\Local Settings\Temporary Internet Files\Content.IE5\49W3030F\Nail[1].exe -> Trojan.Nail -> Cleaned with backup
    C:\Documents and Settings\dtipton\Local Settings\Temporary Internet Files\Content.IE5\V2H04MN9\svcproc[1].exe -> Trojan.Stervis.c -> Cleaned with backup
    C:\Documents and Settings\dtipton\Local Settings\Temporary Internet Files\Content.IE5\WHY781ER\Poller[1].exe -> Trojan.Agent.cp -> Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\5EE323A2-F2D3-47C0-B22C-3C4A76\2DFEA648-DE49-4558-A91F-D8322A -> TrojanDownloader.Intexp.c -> Cleaned with backup
    C:\WINDOWS\acsigtakk.exe -> Spyware.BetterInternet -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\1ua.exe -> Trojan.Delf.cf -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\arbyz.exe -> TrojanDownloader.Lastad.h -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\arbyzndw30103lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\DrPMon.dll_tobedeleted -> Trojan.Agent.db -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\nrmcqmg.exe -> Trojan.Agent.cp -> Cleaned with backup
    C:\WINDOWS\SYSTEM32\whiunytndw30104lib.dll -> TrojanDownloader.Lastad.h -> Cleaned with backup
    C:\WINDOWS\tdtb.exe -> Trojan.Imiserv.c -> Cleaned with backup


    ::Report End
     
    SPYE,
    #5
  7. 2005/06/02
    rstones12

    rstones12 Inactive

    Joined:
    2005/06/01
    Messages:
    15
    Likes Received:
    0
    SPYE,
    OK, we still need to do a few things, but we are making progress..

    Please read "ALL" of the instructions before proceeding:
    You may want to print out these instructions for a reference.

    While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
    Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.
    • Open Spybot Search & Destroy.
    • In the Mode menu click "Advanced mode" if not already selected.
    • Choose "Yes" at the Warning prompt.
    • Expand the "Tools" menu.
    • Click "Resident ".
    • Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
    • In the File menu click "Exit" to exit Spybot Search & Destroy.

    Next do the following:
    Please download WinHelp2002's DelDomains by right-clicking on the following link, and choosing "Save Target As ":
    http://www.mvps.org/winhelp2002/DelDomains.inf
    • Save the file to the desktop.
    • Then go to the desktop, right click on DelDomains.inf, and choose Install.
    • You may not see any noticeable changes or prompts; this is normal.
    IMPORTANT: If you have any of the programs installed:
    You will have to reimmunize with SpywareBlaster, IE-SPYADS, and/or Spybot S&D after doing this.

    Now Scan with HJT and place a checkmark next to the following items:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

    R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)

    O2 - BHO: (no name) - {F007E221-018D-4baf-924A-B0E9092F3853} - (no file)

    O4 - HKLM\..\Run: [whiunyt] C:\WINDOWS\System32\whiunyt.exe

    O15 - Trusted Zone: http://www.neededware.com

    O16 - DPF: NDWCab - http://www.neededware.com/ndw2.cab

    Close all browsers and open windows except HJT, then click the Fix Checked button.

    Enable show hidden files and folders:

    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Click Yes to confirm.
    * Click OK.

    Using Windows Explorer find and remove the following folders/files if present.
    (If you don't find or cant delete any please let me know)

    C:\Program Files\SurfSideKick 3\ <-- Folder
    C:\WINDOWS\System32\whiunyt.exe <-- File

    Run the CleanUp program

    Reboot your system and post back a new HJT log by using Submit Reply

    Thanks,
    rstones12
     
    rstones12,
    #6
  8. 2005/06/02
    SPYE

    SPYE Inactive Thread Starter

    Joined:
    2005/06/01
    Messages:
    5
    Likes Received:
    0
    here is the new hjt log...

    here we go...


    C:\Program Files\SurfSideKick 3\ <-- Folder - not there (could not find in search)
    C:\WINDOWS\System32\whiunyt.exe <-- File - will not let me delete - access denied:make sure disk is not full or write protected...

    thanks again for taking so much time...

    Logfile of HijackThis v1.99.1
    Scan saved at 4:21:40 PM, on 6/2/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\userinit.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\ANTISPYWARE\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = SERVER:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
    O4 - HKLM\..\Run: [whiunyt] C:\WINDOWS\System32\whiunyt.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O15 - Trusted Zone: http://www.neededware.com
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O17 - HKLM\Software\..\Telephony: DomainName = andersontrussco.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
    SPYE,
    #7
  9. 2005/06/03
    rstones12

    rstones12 Inactive

    Joined:
    2005/06/01
    Messages:
    15
    Likes Received:
    0
    SPYE,
    We need to do a few things:

    Please read "ALL" of the instructions before proceeding:
    You may want to print out these instructions for a reference.

    Please download Pocket Killbox
    Click Here to download Pocket Killbox by Option^Explicit.
    Unzip the program and save it to your desktop, dont run it just yet.

    Please reboot your computer in SafeMode by doing the following:
    1. Restart your computer
    2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
    3. Instead of Windows loading as normal, a menu should appear
    4. Select the first option, to run Windows in Safe Mode.


    Go to the desktop, right click on DelDomains.inf, and choose Install

    Do not open any windows or other programs.

    Scan with HJT and place a checkmark next to the following items:

    O4 - HKLM\..\Run: [whiunyt] C:\WINDOWS\System32\whiunyt.exe

    O15 - Trusted Zone: hxxp://www.neededware.com
    I replaced the "tt" with "xx" for security reasons.

    Now with HJT click on the Fix Checked button.

    Now lets run Killbox
    • Double-click on Killbox.exe to start the program.
    • In the killbox program, select the Delete on Reboot option.
    • In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

    C:\WINDOWS\System32\whiunyt.exe
    • Press the button that looks like a red circle with a white X in it after each one.
    • When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button.
    • Do this after each one until you have entered the LAST file path I have listed above.
    • After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts.
    • If you receive a message and your computer does not restart automatically, please restart it manually.

    Now run the CleanUp program.

    Reboot once again and post back a new HJT log by using Add Reply

    Thanks,
    rstones12
     
    rstones12,
    #8
  10. 2005/06/03
    SPYE

    SPYE Inactive Thread Starter

    Joined:
    2005/06/01
    Messages:
    5
    Likes Received:
    0
    new hjt....

    here we go again, thanks again for the help....

    Logfile of HijackThis v1.99.1
    Scan saved at 8:21:27 AM, on 6/3/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~2\VPTray.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    C:\Program Files\Symantec AntiVirus\DoScan.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\system32\userinit.exe
    C:\Documents and Settings\dtipton\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = SERVER:8080
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe "
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI05E6~1\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O16 - DPF: NDWCab -
    O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab
    O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O17 - HKLM\Software\..\Telephony: DomainName = andersontrussco.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = andersontrussco.com
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
    SPYE,
    #9
  11. 2005/06/04
    rstones12

    rstones12 Inactive

    Joined:
    2005/06/01
    Messages:
    15
    Likes Received:
    0
    SPYE,
    Things are looking much better.
    A few questions.
    Do you recognize this domain:
    andersontrussco.com is this your companies domain.

    Is this system on the company network or do you log in remotely?
    Do you connect to a SQL server that you know of by means of a proxy server?

    Let me know and then we can proceed.

    Thanks,
    rstones12
     
    rstones12,
    #10
  12. 2005/06/04
    SPYE

    SPYE Inactive Thread Starter

    Joined:
    2005/06/01
    Messages:
    5
    Likes Received:
    0
    yes that entry is legit...

    that entry is the company domain and this computer is on a network. The proxy is also legit.
     
    SPYE,
    #11
  13. 2005/06/04
    rstones12

    rstones12 Inactive

    Joined:
    2005/06/01
    Messages:
    15
    Likes Received:
    0
    SPYE,
    Things are looking better.
    Please do the following. Try not to reboot if possible after submitting the Findit log.


    Download FindIt's.zip to your desktop: http://forums.net-integration.net/index.ph...=post&id=142443

    1. Unzip/extract the files inside to a folder on your desktop.
    2. Open the folder and run FindIt's.bat and wait for notepad to open a text file. It may take awhile so please be patient ...
    3. Then post the results here along with a new HJT log by using Add Reply

    Thanks,
    rstones12
     
    rstones12,
    #12
Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...