View Full Version : In need of help with CmdSrvce and Pop-Ups
Hi There,
I have been having trouble with the above issues. Spybot can't seem to fully remove the CmdSrvce files due to "memory usage" issues, even after I reboot. I also tried AdAware without success. Additionally, I have been having difficulties with Popups and have isolated the following files, which I believe to be responsible:
Dfndrff_12
Kybrdff_12
Unfortunately, I cannot delete these two as access is denied. The same goes for a pesky "deskbar" program that has rooted itself on my drive, though I believe that I have disabled that one. In any case, here is the Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 2:33:28 PM, on 8/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
C:\DOCUME~1\GEORGE~1\APPLIC~1\ICROSO~1.NET\arpa.exe
C:\PROGRA~1\COMMON~1\qfro\qfrom.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\SYSTEM32\T?sks\m?dtc.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\qfro\qfroa.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ruui] "C:\DOCUME~1\GEORGE~1\APPLIC~1\ICROSO~1.NET\arpa.exe" -vt yazr
O4 - HKCU\..\Run: [qfro] C:\PROGRA~1\COMMON~1\qfro\qfrom.exe
O4 - HKCU\..\Run: [Fnqfd] C:\WINDOWS\SYSTEM32\T?sks\m?dtc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\enr6l19s1.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Any help that you could provide would be greatly appreciated. I've reached the end of expertise in this area and don't know where else to turn. Thanks, B.
pskelley
2006-08-24, 22:26
Welcome to the forum, do you still need help? If you do let's do this.
1) Start > Control Panel > Add Remove program and uninstall: PuritySCAN By OIN, OIN or OuterInfo. While you are there uninstall any other programs you know do not belong there. If you are unsure, let me know and I will look.
If you do not find any of that stuff there, then download and run this uninstaller: http://www.outerinfo.com/howto.html
2) Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
More info:
If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it
start>run sc start schedule press enter.
Make sure the computer is restarted and post those two bolded logs above along with any comments you think will help.
Thanks...pskelley
Safer Networking Forums
Hi Pskelley,
Thanks for coming to my aid and giving me so much of your time. I sincerely appreciate it.
Let me give you a step-by-step account of my progress...
1) Removed a program called "searchbar" that I have removed a few times recently. It always seems to reinstall itself. Did not find PuritySCAN or any of its other forms so I ran the uninstaller.
2) I ran the Look2Me-Destroyer and it produced this log:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 8/24/2006 9:47:23 PM
Infected! C:\WINDOWS\system32\h0j4la1q1d.dll
Infected! C:\WINDOWS\SYSTEM32\mbw3prt.dll
Infected! C:\WINDOWS\SYSTEM32\reutetab.dll
Infected! C:\WINDOWS\SYSTEM32\enlql1351.dll
Infected! C:\WINDOWS\SYSTEM32\p04u0ah9ed4.dll
Infected! C:\WINDOWS\SYSTEM32\lv8o09l3e.dll
Infected! C:\WINDOWS\SYSTEM32\g040lahm1d4a.dll
Infected! C:\WINDOWS\SYSTEM32\gplsl3371.dll
Infected! C:\WINDOWS\SYSTEM32\i4060edseh060.dll
Infected! C:\WINDOWS\SYSTEM32\h0j4la1q1d.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0053015.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0053016.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054326.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054333.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054334.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0055337.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055340.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055345.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055351.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055354.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055359.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0056357.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057357.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057363.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057368.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057373.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057378.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057383.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057386.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058397.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058398.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058409.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058416.dll
Infected! C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058417.dll
Infected! C:\WINDOWS\System32\guard.tmp
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\h0j4la1q1d.dll
C:\WINDOWS\system32\h0j4la1q1d.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\mbw3prt.dll
C:\WINDOWS\SYSTEM32\mbw3prt.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\reutetab.dll
C:\WINDOWS\SYSTEM32\reutetab.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\enlql1351.dll
C:\WINDOWS\SYSTEM32\enlql1351.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\p04u0ah9ed4.dll
C:\WINDOWS\SYSTEM32\p04u0ah9ed4.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\lv8o09l3e.dll
C:\WINDOWS\SYSTEM32\lv8o09l3e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\g040lahm1d4a.dll
C:\WINDOWS\SYSTEM32\g040lahm1d4a.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\gplsl3371.dll
C:\WINDOWS\SYSTEM32\gplsl3371.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\i4060edseh060.dll
C:\WINDOWS\SYSTEM32\i4060edseh060.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\SYSTEM32\h0j4la1q1d.dll
C:\WINDOWS\SYSTEM32\h0j4la1q1d.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0053015.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0053015.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0053016.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0053016.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054326.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054326.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054333.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054333.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054334.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054334.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0055337.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0055337.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055340.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055340.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055345.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055345.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055351.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055351.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055354.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055354.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055359.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0055359.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0056357.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0056357.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057357.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057357.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057363.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057363.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057368.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057368.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057373.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057373.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057378.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057378.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057383.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057383.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057386.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP340\A0057386.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058397.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058397.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058398.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058398.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058409.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058409.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058416.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058416.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058417.dll
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058417.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\System32\guard.tmp
C:\WINDOWS\System32\guard.tmp Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WebCheck
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{B8E575B9-8D7B-4856-86B2-EDEBD938C7E9}"
HKCR\Clsid\{B8E575B9-8D7B-4856-86B2-EDEBD938C7E9}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5E9030C0-E7CA-4B23-8881-84AD19A91C84}"
HKCR\Clsid\{5E9030C0-E7CA-4B23-8881-84AD19A91C84}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
------
I still have the ominous looking Dfndrff_12 and Kybrdff_12 files on my C drive. Also, Symantec is telling me that it has detected a "trojan horse" virus that it cannot eradicate as "access is denied". I am still experiencing pop-up bursts from "sfondi", "Targeted ad" etc, though I don't think they're quite as severe as before. Here is the Hijackthis log...
Logfile of HijackThis v1.99.1
Scan saved at 10:30:58 PM, on 8/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\qfro\qfrom.exe
C:\PROGRA~1\COMMON~1\qfro\qfroa.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [qfro] C:\PROGRA~1\COMMON~1\qfro\qfrom.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Thanks again, pskelley. I wait further instructions from you.
Bucket.
pskelley
2006-08-25, 13:26
Thanks for your feedback, it looks like you were successful at removing Look2me, we will go after the rest of the junk now.
First these: Dfndrff_12, Kybrdff_12 I do not see them in your log and they are usually there when present. Delete both of those, do it in safe mode if you have to.
Also, Symantec is telling me that it has detected a "trojan horse" virus I need to know what Symantec calls this trojan and where it says it is located, the complete pathway.
I am still experiencing pop-up bursts from "sfondi", "Targeted ad" etc, though I don't think they're quite as severe as before. Here is the Hijackthis log... We are probably going to find this is the trojan, Look2me is a popup maker and removing it will have slowed them down some. Webhancer may also be a problem. Let's see how we are doing when we complete these instructions.
C:\PROGRA~1\COMMON~1\qfro\qfrom.exe << probably a trojan
This item: C:\PROGRA~1\COMMON~1\qfro\qfrom.exe (C:\Program Files\ ) is running on your computer, I can not identify it from here. Do you know what it is? If not, then use these free online scans to find out if it is bad. I will schedule removal, you should remove it only if the scans come back bad.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html
How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKCU\..\Run: [qfro] C:\PROGRA~1\COMMON~1\qfro\qfrom.exe
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\PROGRAM FILES ~1\COMMON~1\qfro\ <<< delete that folder
C:\Program Files\webHancer\ <<< delete that folder
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log and your comments.
Since you had some nasty stuff, I would like to run ewido to make sure nothing is hiding, follow these directions.
ewido scan: Delete anything ewido locates unless you know it is not bad.
First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
This is a 30 day trial of the program
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need run ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.
Post the ewido scan report as soon as you have it.
Thanks...Phil
Hi Phil,
First, I want to mention that I did a couple of scans. I scanned, and then deleted, the questionable qfrom.exe file after it produced this report:
Scanned file: qfrom.exe - Infected
qfrom.exe - infected by Trojan-Downloader.Win32.TSUpdate.n
Statistics:
Known viruses: 218338 Updated: 25-08-2006
File size (Kb): 9 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0
I also deleted the following file from the folder:
Scanned file: qfroa.exe - Infected
qfroa.exe - infected by Trojan-Downloader.Win32.TSUpdate.l
Statistics:
Known viruses: 218338 Updated: 25-08-2006
File size (Kb): 17 Virus bodies: 1
Files: 1 Warnings: 0
Archives: 0 Suspicious: 0
I did not, however, find the webhancer folder in the Program Files folder, despite the presence of its "04 line" in the Hijackthis scan. I did a search for the term and it revealed no results on the computer.
I also updated Symantec and did a fresh scan that revealed no viruses (this was done prior to carrying out your most recent instructions). This was kind of odd considering the msgs it has been giving me recently. Also, I somehow neglected to mention the following msg that a Symantec bubble delivered to me earlier this week:
Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Bloodhound.Exploit.6
File: C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\MLANY7M1\t-6779[1].html
Location: C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\MLANY7M1
Computer: SARA-CXDL3MCV8A
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Tuesday, August 22, 2006 10:18:41 PM
Please forgive the omission. I must have saved the text and then forgotten about it.
Here is the most recent Hijackthis Log:
Logfile of HijackThis v1.99.1
Scan saved at 1:55:40 PM, on 8/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Hijackthis\HijackThis.exe
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.711.1664\GoogleToolbarNotifier.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\System32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
I'm off to run the ewido program. I will post the results of that when I have them. Thanks again, Phil. You've really done me a good turn with all of this!
pskelley
2006-08-25, 20:47
You are sure welcome:laugh: those thanks are what I work for. I appreciate the feedback also. Let me report that the HJT log is clean. After I get a look at the ewido scan results we will know more how to proceed.
Thanks...Phil
Hi Phil,
Alright, it took a little while for the Ewido scan to do its thing. The log follows below...
I'm going to have to be away from the computer for the remainder of the afternoon, but I will pick up your instructions when I return this evening. Thanks, as always. B. :)
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 3:29:53 PM 8/25/2006
+ Scan result:
C:\_RESTORE\ARCHIVE\FS30.CAB/A0004881.CPY -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS30.CAB/A0004882.CPY -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS30.CAB/A0004884.CPY -> Adware.BrilliantDigital : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\drsmartload180a.exe -> Adware.DollarRevenue : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058423.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058424.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058425.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058426.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058427.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058428.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058429.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058430.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\guard.tmp_tobedeleted -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\FOUND.007\FILE0003.CHK -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\FOUND.007\FILE0006.CHK -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0051841.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0051842.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052828.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052862.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\SET15B.tmp -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\SET15C.tmp -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS71.CAB/A0023580.CPY -> Adware.MediaPops : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0053000.exe -> Adware.MediaTickets : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\NNBar_VCSetup_876075.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\mitE8.tmp.cab/NNBar_VCSetup_876075.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\mitE8.tmp/NNBar_VCSetup_876075.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS294.CAB/A0047422.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS295.CAB/W0136065.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS353.CAB/A0060582.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS354.CAB/W0225622.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS395.CAB/A0067950.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS436.CAB/A0085432.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS440.CAB/A0085626.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS51.CAB/W0034016.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS51.CAB/W0034017.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS559.CAB/A0098910.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS560.CAB/W0442423.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS583.CAB/A0104274.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS584.CAB/W0457873.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS615.CAB/A0105611.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS65.CAB/A0023400.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS66.CAB/W0036885.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\_RESTORE\TEMP\A0071964.CPY -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058404.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\MirarSetup_876075.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS301.CAB/A0047671.CPY/Save.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS301.CAB/A0047671.CPY/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS301.CAB/A0047675.CPY -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS437.CAB/A0085497.CPY/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS437.CAB/A0085504.CPY -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS437.CAB/A0085505.CPY -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS437.CAB/A0085508.CPY/Save.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS437.CAB/A0085508.CPY/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS437.CAB/A0085509.CPY/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\iFA.tmp -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054052.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052835.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052836.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052837.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052878.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052880.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052885.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\WINDOWS\webhdll.dll_tobedeleted -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052874.exe -> Downloader.Adload.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052875.exe -> Downloader.Adload.eo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052871.exe -> Downloader.Adload.ep : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052872.exe -> Downloader.Adload.ep : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052873.exe -> Downloader.Adload.ep : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0059479.exe -> Downloader.Adload.es : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052847.exe -> Downloader.Adload.et : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054030.exe -> Downloader.Adload.eu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054044.exe -> Downloader.Adload.eu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0059477.exe -> Downloader.Adload.eu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052859.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052861.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\!update.exe -> Downloader.PurityScan.da : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP341\A0058406.exe -> Downloader.PurityScan.da : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS67.CAB/A0023468.CPY -> Downloader.Realtens.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052850.exe -> Downloader.Realtens.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052855.exe -> Downloader.Realtens.h : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0051840.exe -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP342\A0060516.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP342\A0060519.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP342\A0060514.exe -> Downloader.TSUpdate.n : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP342\A0060512.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\pre.exe -> Downloader.VB.kq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0052844.exe -> Dropper.VB.nn : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temporary Internet Files\Content.IE5\CHIJGLIJ\popup[1].htm -> Hijacker.Agent.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054029.dll -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{1B6F774F-02BB-4023-A796-6908A35421E4}\RP339\A0054058.dll -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\vbsys2.dll -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
C:\vbsys2.dll -> Hijacker.Agent.ac : Cleaned with backup (quarantined).
C:\Program Files\Outlook Express\pomy.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\Windows Media Player\rypehedo.html -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temporary Internet Files\Content.IE5\8XI1W3WH\send_car_int[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temporary Internet Files\Content.IE5\8XI1W3WH\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temporary Internet Files\Content.IE5\CHIJGLIJ\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temporary Internet Files\Content.IE5\OXAVS52F\send_car_int[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temporary Internet Files\Content.IE5\WPYRO5QZ\send_ocx_sof[1].htm -> Not-A-Virus.Exploit.HTML.CodeBaseExec : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\Cookies\tom smith@112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\Cookies\tom smith@tsn.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\Cookies\tom smith@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\Cookies\tom smith@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Cookies\tom smith@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Cookies\tom smith@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\Cookies\tom smith@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Cookies\tom smith@targetnet[2].txt -> TrackingCookie.Targetnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Tom smith\Local Settings\Temp\Cookies\tom smith@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\_RESTORE\ARCHIVE\FS30.CAB/A0004912.CPY -> Trojan.Krepper.y : Cleaned with backup (quarantined).
::Report end
pskelley
2006-08-25, 22:31
Thanks for returning the information, these items: C:\System Volume Information\_restorethey are your System Restore, we will clean that shortly, but these items:
C:\_RESTORE\ARCHIVE\ do not identify and I am assuming they are Symantec AntiVirus. You need to locate that folder and delete the contents.
Here are the instructions for the Norton recycle bin and they may be the same:
http://service1.symantec.com/support/nsw.nsf/ba62122e5d142a6588256d87006b22be/831aa5c6ef0d750685256c370048ad89?OpenDocument&src=bar_sch_nam
After a couple of days, you want to open the quarantine folder in the ewido program and delete the contents of it also. Let me give you closing information now, you can review the information and let me know how the computer is running. If all is well I will ask tashi to close the topic.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
___________________________________________________________
I forgot to mention, if at this point you are still finding the command.exe items with Spybot, then follow these directions:
Please download and unzip Ren-cmdservice to your Desktop.
It will only work correctly if the folder is placed on your Desktop and extracted !!.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run spybot check for and fix any problems found.
Thanks...Phil
Hi Phil,
The first Symantec link doesn't seem to work. Still, I found the folder in the C drive but the specific files are absent (quarantined?). I did a search, but that didn't reveal anything.
On the positive side, the computer is running much more smoothly and we haven't had any pop-up incidents since the last set of fixes was applied. I will have to peruse the links you've provided to see how we can better protect this system. I think that we've left ourselves woefully susceptible to invasion up to now.
Thanks again. I really can't thank you enough for all of this. I hope you know just how valuable this service is.
-B.
pskelley
2006-08-26, 12:09
Good morning, I am so sorry, I did not copy the complete link. I have edited the information and the link should now work. In case it helps in the future. Glad I am to hear your computer is running better.
Safe surfing...tashi:) will close your topic if a few days.
Thanks...Phil
Bucket as the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Cheers. :bigthumb: