View Full Version : Cannot install or even visit S&D website!
arossphoto
2006-02-08, 01:42
I think I have a serious problem with my laptop, because I can't install S&D and even when I try to visit this web site my browser (both Firefox and Explorer) will suddenly shut down. The same thing happens when I try to install ad-aware and visit their web site. Ditto for Microsoft Antispyware. When I browse any other web sites everything appears to be fine.
I've been searching this site and the web for help, but I haven't been able to find anything.
I hope someone here can help me soon.
Thanks,
Andrew
Despise_Spyware
2006-02-08, 02:26
maybe some malware on your comp is shutting down your browsers whenever you try to delete it by installing an antispyware
maybe you should download spybot from an alternative download site, like download.com
Hello arossphoto.
Can you try to do an on-line anti-virus scan.
Bit Defender Virus Scan (http://www.bitdefender.com/scan/licence.php)
Trend Micro Online Scan (http://housecall.trendmicro.com/)
Mcafee Virus Scan (http://us.mcafee.com/root/mfs/default.asp?cid=9914)
Also try to download HJT. (HiJackThis)
Downloads:
http://www.downloads.subratam.org/hijackthis.zip
If you are unfamiliar with zip programs get HijackThis.exe here:
http://www.merijn.org/files/HijackThis.exe
Install HJT in safe mode and if you cannot let us know.
How to start Windows in Safe Mode (http://www.bleepingcomputer.com/forums/index.php?showtutorial=61)
A malware expert will take over and I will move your topic to that forum.
We will proceed from that point.
Hang in there. :)
arossphoto
2006-02-08, 06:48
Thanks for your response. I was able to install and run HJT in normal mode before I read your email. I will post the log file below.
I also did a full virus scan with Norton and it found no problems. I then tried installing and running AdAware and S&D in safemode and, once I figured out how to install the latest defs without an internet connection, I was able to run both successfully. However, neither found anything except cookies. I then rebooted into normal mode and tried running S&D and AdAware again, but they won't run at all.
Here's the HJT log. I looked up most of the processes and didn't find anything unusual myself, but I'm no expert. Thanks again for your assistance.
Logfile of HijackThis v1.99.1
Scan saved at 10:43:33 PM, on 07/02/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINDOWS\LOGI_MWX.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
C:\Program Files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColorReminder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\SecCopy\SecCopy.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Andrew Ross\My Documents\hi-jackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Phase One Media Reader] C:\PROGRA~1\PHASEO~1\CAPTUR~1\DCIMImp.exe /noscan /CheckAutoStart
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Samsung LBP SM] "C:\WINDOWS\Samsung\LaserSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo 820 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0EIC1.EXE /P29 "EPSON Stylus Photo 820 Series" /O6 "USB001" /M "Stylus Photo 820"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
O4 - HKCU\..\Run: [WinColorReminder] C:\Program Files\Pro Imaging Powertoys\Microsoft Color Control Panel Applet for Windows XP\WinColorReminder.exe
O4 - HKCU\..\Run: [Second Copy] "C:\PROGRA~1\SecCopy\SecCopy.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: MonacoGamma.lnk = C:\Program Files\Monaco Systems\MonacoEZcolor 2.6\MonacoGamma.exe
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124229061703
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
Hi arossphoto.
Good, I transferred you to our malware forum and will ask Lonny to take a look as soon as he can. :bigthumb:
arossphoto
2006-02-08, 15:23
I also ran BitDefender last night and it found quite a few viruses, many which couldn't be deleted or disinfected.
Thanks again and here's the report from BitDefender:
Scanned File
Status
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
Infected with: Win32.Worm.VB.AA
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
Disinfection failed
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
Delete failed
C:\Program Files\Norton AntiVirus\Quarantine\08D90547.wmf
Infected with: Exploit.Win32.WMF-PFV.C
C:\Program Files\Norton AntiVirus\Quarantine\08D90547.wmf
Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\08D90547.wmf
Deleted
C:\Program Files\Norton AntiVirus\Quarantine\2E8E36FA.tmp=>(Quarantine-2)
Infected with: Trojan.Downloader.Adload.J
C:\Program Files\Norton AntiVirus\Quarantine\2E8E36FA.tmp=>(Quarantine-2)
Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\2E8E36FA.tmp=>(Quarantine-2)
Deleted
C:\Program Files\Norton AntiVirus\Quarantine\5306426E.tmp=>(Quarantine-2)
Infected with: Trojan.Downloader.CS
C:\Program Files\Norton AntiVirus\Quarantine\5306426E.tmp=>(Quarantine-2)
Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\5306426E.tmp=>(Quarantine-2)
Deleted
C:\Program Files\Norton AntiVirus\Quarantine\57BC22B8.dll=>(Quarantine-2)
Infected with: Trojan.Keylogger.30
C:\Program Files\Norton AntiVirus\Quarantine\57BC22B8.dll=>(Quarantine-2)
Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\57BC22B8.dll=>(Quarantine-2)
Deleted
C:\Program Files\Norton AntiVirus\Quarantine\57BC22B8.exe=>(Quarantine-2)
Infected with: Trojan.Killav.EF
C:\Program Files\Norton AntiVirus\Quarantine\57BC22B8.exe=>(Quarantine-2)
Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\57BC22B8.exe=>(Quarantine-2)
Deleted
C:\Program Files\Norton AntiVirus\Quarantine\60467930.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Adload.J
C:\Program Files\Norton AntiVirus\Quarantine\60467930.exe=>(Quarantine-2)
Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\60467930.exe=>(Quarantine-2)
Deleted
C:\Program Files\Norton AntiVirus\Quarantine\664C7A1C.exe=>(Quarantine-2)
Infected with: Trojan.Clicker.Small.IS
C:\Program Files\Norton AntiVirus\Quarantine\664C7A1C.exe=>(Quarantine-2)
Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\664C7A1C.exe=>(Quarantine-2)
Deleted
C:\Program Files\Norton AntiVirus\Quarantine\74A174B9.tmp=>(Quarantine-2)
Infected with: Trojan.Downloader.Ieax.A
C:\Program Files\Norton AntiVirus\Quarantine\74A174B9.tmp=>(Quarantine-2)
Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\74A174B9.tmp=>(Quarantine-2)
Deleted
C:\Program Files\Norton AntiVirus\Quarantine\7FF27846.dll=>(Quarantine-2)
Infected with: Trojan.Peflog.30
C:\Program Files\Norton AntiVirus\Quarantine\7FF27846.dll=>(Quarantine-2)
Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\7FF27846.dll=>(Quarantine-2)
Deleted
C:\Program Files\Norton AntiVirus\Quarantine\7FF27846.exe=>(Quarantine-2)
Infected with: Trojan.Killav.EF
C:\Program Files\Norton AntiVirus\Quarantine\7FF27846.exe=>(Quarantine-2)
Disinfection failed
C:\Program Files\Norton AntiVirus\Quarantine\7FF27846.exe=>(Quarantine-2)
Deleted
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP151\A0023406.exe
Infected with: Trojan.Clicker.Small.IS
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP151\A0023406.exe
Disinfection failed
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP151\A0023406.exe
Deleted
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027034.dll=>(Quarantine-2)
Infected with: Trojan.Keylogger.30
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027034.dll=>(Quarantine-2)
Disinfection failed
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027034.dll=>(Quarantine-2)
Deleted
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027035.exe=>(Quarantine-2)
Infected with: Trojan.Killav.EF
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027035.exe=>(Quarantine-2)
Disinfection failed
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027035.exe=>(Quarantine-2)
Deleted
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027036.exe=>(Quarantine-2)
Infected with: Trojan.Downloader.Adload.J
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027036.exe=>(Quarantine-2)
Disinfection failed
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027036.exe=>(Quarantine-2)
Deleted
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027037.exe=>(Quarantine-2)
Infected with: Trojan.Clicker.Small.IS
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027037.exe=>(Quarantine-2)
Disinfection failed
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027037.exe=>(Quarantine-2)
Deleted
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027038.dll=>(Quarantine-2)
Infected with: Trojan.Peflog.30
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027038.dll=>(Quarantine-2)
Disinfection failed
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027038.dll=>(Quarantine-2)
Deleted
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027039.exe=>(Quarantine-2)
Infected with: Trojan.Killav.EF
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027039.exe=>(Quarantine-2)
Disinfection failed
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP175\A0027039.exe=>(Quarantine-2)
Deleted
LonnyRJones
2006-02-08, 17:02
Hi
Run Hijackthis click config >misc tools > open proccess mamager and end this process
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
Click back then scan and place a check next to this item
O4 - HKLM\..\Run: [WinLiveUpdate] C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
=======
Click fix checked, close hiajckthis
Zip up and send me a copy of that file please, then Rename the file.
Send to submitlonny AT subratam.org
Replace AT and spaces with @ and include a link back to this thread.
arossphoto
2006-02-08, 17:24
Zip up and send me a copy of that file please, then Rename the file.
Send to submitlonny AT subratam.org
Replace AT and spaces with @ and include a link back to this thread.
Thanks very much for your response. I just want to confirm that when you say "that file" you mean this svchost file?:
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe
do you care what I rename it as?
Thanks again,
Andrew
LonnyRJones
2006-02-08, 17:29
Yes the DAO\svchost.exe file after sending rename to anything for example Suspect.exe
Are there any other odd file in that dao folder ?
dont delete them
Post a log from this online scan..
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
Click scan settings and place a check next to use [x]extended this database etc etc. Click ok.
Then choose: my computer: scan all your hard drives and mapped disks.
when finished click save as text and post that in your reply.
arossphoto
2006-02-08, 18:05
I have emailed you the file. In the same directory there are also these 3 files: Dao350.dll, dao360.dll, Dao2535.tlb.
I can't run the online scanner you suggested. I keep the message that "Windows has blocked this software because it can't verify the publisher".
Andrew
arossphoto
2006-02-08, 18:18
I have emailed you the file. In the same directory there are also these 3 files: Dao350.dll, dao360.dll, Dao2535.tlb.
I can't run the online scanner you suggested. I keep getting the message that "Windows has blocked this software because it can't verify the publisher".
Andrew
LonnyRJones
2006-02-08, 18:23
Thanks, it is definalty a bad guy, those others though are not
At the online is this what your seeing (see attachment) if so rightclick and choose download file
arossphoto
2006-02-08, 20:03
I had to add the Kaspersky site to "trusted sites" before I could download the files and run the scan. Here's the report which identifies that file as a problem. It's interesting that I also scanned it with Norton and it said there was no threat. I noticed some references to 007 spysoft, and I probably should have mentioned this earlier, but I did install the 007 keylogger to test due to some marital difficulties. :( I did some brief research and I thought it was safe, and I also thought it had been removed.
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, February 08, 2006 1:54:38 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 8/02/2006
Kaspersky Anti-Virus database records: 175636
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
F:\
Scan Statistics:
Total number of scanned objects: 100827
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 01:07:34
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Andrew Ross\My Documents\suspect.zip/suspect.exe Infected: not-a-virus:Monitor.Win32.007SpySoft.308 skipped
C:\Documents and Settings\Andrew Ross\My Documents\suspect.zip ZIP: infected - 1 skipped
C:\Program Files\Common Files\Microsoft Shared\DAO\suspect.exe Infected: not-a-virus:Monitor.Win32.007SpySoft.308 skipped
C:\Program Files\Common Files\Microsoft Shared\DAO\svchost.exe Infected: not-a-virus:Monitor.Win32.007SpySoft.308 skipped
C:\Program Files\Norton AntiVirus\Quarantine\00DA2C37.exe Infected: Trojan.Win32.KillAV.gf skipped
C:\Program Files\Norton AntiVirus\Quarantine\79CC519C Infected: Trojan-Clicker.Win32.Small.is skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP131\A0020917.exe Infected: Trojan.Win32.KillAV.gf skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP136\A0021557.exe Infected: not-a-virus:Monitor.Win32.Ardamax.23 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP137\A0021580.old Infected: not-a-virus:Monitor.Win32.007SpySoft.308 skipped
Scan process completed.
arossphoto
2006-02-08, 23:36
Any suggestions on what to do next?
Thanks,
Andrew
Hi.
Please be patient, forum helpers are volunteers. ;)
LonnyRJones
2006-02-09, 01:45
Hi
You mentioned installing 007 spy then removing it, does that mean it was uninstalled via windows addremove programs ?
arossphoto
2006-02-09, 02:00
Hi
You mentioned installing 007 spy then removing it, does that mean it was uninstalled via windows addremove programs ?
Sorry, but it was a couple months ago and I honestly don't remember. I'm not sure if it could be removed via windows add/remove because it was a hidden program. I thought I had to delete the files manually, but like I said I don't really remember. I wish I could tell you more and I really regret installing that crap.
LonnyRJones
2006-02-09, 02:05
Are you still having problems with SpyBot ? If so do you remember where you downloaded 007 spy from ?
arossphoto
2006-02-09, 18:14
I feel like a bit of an idiot, but it turns out that I didn't uninstall 007 after all. I had only deactivated it so it wasn't logging keystrokes anymore, but I think it was still running in stealth mode and, because it was completely hidden, I had just forgotten about it.
Once I figured out how to bring it out of stealth mode and logged back in I noticed an option to block anti-spyware programs like Spybot. I have now uninstalled 007 using the uninstall feature in the program. I can now run Spybot and Ad-aware and they didn't find any problems, but the svchost file is still there and a Kaspersky scan still indicates this file might be a risk.
Do you think it is safe to remove it, now that we know what it is?
Thanks again for all your help.
Andrew
LonnyRJones
2006-02-09, 18:31
Yes it should be safe to delete that file.
For any opthers that might have the same problem
To completely remove this program from your system:
Load 007 Spy and make its main interface visible.
if in stealth mode press ctrl + alt + shift and F7
uncheck block anti-spyware
Click Settings menu on its left hand panel.
Click Advanced Option button, the Advanced Option window appear.
Click the button labeled "Uninstall 007 Spy Software" on the left bottom.
Click Yes in the Uninstall Message Box.
Regards
Lonny
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the topic.
Glad we could help, thank you Lonny.