PDA

View Full Version : Pipas A



Paul Rawlings
2006-09-02, 18:50
Spy Bot keeps locating Pipas A trojan on my PC it says that it has been removed but it keeps coming back. Help please would be appreciated.

I followed the before you post instructions but I could not carry out a scan in safe mode. It comes up with an error message saying no disk in drive

Below are the result of the online scan and HJT


Incident Status Location

Adware:adware/winprotect Not disinfected g:\windows\help\SPAlert.chm
Adware:adware/cws Not disinfected G:\Documents and Settings\Paul & Lynn\Favorites\Spyware Uninstall
Adware:adware/sbsoft Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected G:\Documents and Settings\Paul & Lynn\Cookies\paul &
Spyware:Cookie/Overture Not disinfected G:\Documents and Settings\Paul & Lynn\Cookies\paul &
Spyware:Cookie/QuestionMarket Not disinfected G:\Documents and Settings\Paul & Lynn\Cookies\paul &

Logfile of HijackThis v1.99.1
Scan saved at 15:39:55, on 02/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\csrss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\Microsoft IntelliType Pro\type32.exe
G:\Program Files\Microsoft Hardware\Mouse\point32.exe
G:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
G:\Program Files\btbb_wcm\McciTrayApp.exe
G:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
G:\PROGRA~1\Yahoo!\YOP\yop.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
H:\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
G:\Program Files\Messenger\msmsgs.exe
G:\PROGRA~1\Yahoo!\browser\ycommon.exe
G:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
G:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
G:\Program Files\Yahoo!\NAV\navapsvc.exe
G:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
G:\PROGRA~1\Yahoo!\YOP\secstat.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\system32\wdfmgr.exe
G:\Program Files\Yahoo!\browser\ybrowser.exe
G:\WINDOWS\System32\alg.exe
G:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\wuauclt.exe
G:\WINDOWS\system32\wbem\wmiprvse.exe
G:\Documents and Settings\Paul & Lynn\Desktop\Highjack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - G:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - G:\Program Files\Yahoo!\NAV\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "G:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe G:\WINDOWS\system32\wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Motive SmartBridge] G:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] G:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] G:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] G:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [NavRegReminder] "G:\WINDOWS\temp\NavBrowser.exe" /r /i "G:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\RunServices: [DJSNetCN] G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] H:\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = G:\Program Files\BT Home Hub\Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155391918109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18A6EAC3-B0B9-4D73-B010-79533893A3C2}: NameServer = 85.255.116.85,85.255.112.147
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - G:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - G:\WINDOWS\system32\YPCSER~1.EXE

illukka
2006-09-02, 22:38
hi


download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe


First, make sure you are connected to the internet. Fixwareout requires the connection in order to download a program it uses (Brute Force Uninstaller).
Double click the program icon on your desktop. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load; this is normal.
Once the desktop loads save the text file that will open (report.txt) to your desktop.

post the contents of that file, along with a fresh hijackthis log here

good luck

Paul Rawlings
2006-09-03, 10:14
Hi

Great to have your help.

I have done as you suggested and the log file after running fixit is below

Please excuse my terminology, I am new to using a forum.

Thanks again for helping

Paul


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DCF21E065A16-3B1A-F754-A9DD-B8E5C2B5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\lblmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmlbl.exe"=-
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...
* csr.exe G:\WINDOWS\System32\CSFHN.EXE

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
G:\WINDOWS\SYSTEM32\CSFHN.EXE 51,205 2006-08-23
G:\WINDOWS\SYSTEM32\DMLBL.EXE 62,008 2004-08-04

Other suspects.
Directory of G:\WINDOWS\system32
{30E6E791-6508-42FA-9438-2D200436557E}.exe

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

Paul Rawlings
2006-09-03, 12:11
OOps I said was new I forgot to copy and paste the new hijack this file so here it is now

Paul

Logfile of HijackThis v1.99.1
Scan saved at 09:59:13, on 03/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
G:\Program Files\Yahoo!\NAV\navapsvc.exe
G:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\Microsoft IntelliType Pro\type32.exe
G:\Program Files\Microsoft Hardware\Mouse\point32.exe
G:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\btbb_wcm\McciTrayApp.exe
G:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
G:\PROGRA~1\Yahoo!\YOP\yop.exe
G:\PROGRA~1\Yahoo!\browser\ycommon.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
H:\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
G:\Program Files\Messenger\msmsgs.exe
G:\PROGRA~1\Yahoo!\YOP\secstat.exe
G:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
G:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
G:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
G:\Program Files\Yahoo!\browser\ybrowser.exe
G:\Documents and Settings\Paul & Lynn\Desktop\Highjack this .exe\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - G:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - G:\Program Files\Yahoo!\NAV\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "G:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe G:\WINDOWS\system32\wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Motive SmartBridge] G:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] G:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] G:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] G:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [NavRegReminder] "G:\WINDOWS\temp\NavBrowser.exe" /r /i "G:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\RunServices: [DJSNetCN] G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] H:\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = G:\Program Files\BT Home Hub\Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155391918109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18A6EAC3-B0B9-4D73-B010-79533893A3C2}: NameServer = 85.255.116.85,85.255.112.147
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - G:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - G:\WINDOWS\system32\YPCSER~1.EXE

Paul Rawlings
2006-09-03, 20:32
I am really am not sure if I have got the hang of replying on this forum so please ignore this if it is a duplication of the reply I posted earlier

Paul


OOps I said I was new I forgot to copy and paste the new hijack this file so here it is now

Paul

Logfile of HijackThis v1.99.1
Scan saved at 09:59:13, on 03/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
G:\Program Files\Yahoo!\NAV\navapsvc.exe
G:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\Microsoft IntelliType Pro\type32.exe
G:\Program Files\Microsoft Hardware\Mouse\point32.exe
G:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\btbb_wcm\McciTrayApp.exe
G:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
G:\PROGRA~1\Yahoo!\YOP\yop.exe
G:\PROGRA~1\Yahoo!\browser\ycommon.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
H:\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
G:\Program Files\Messenger\msmsgs.exe
G:\PROGRA~1\Yahoo!\YOP\secstat.exe
G:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
G:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
G:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
G:\Program Files\Yahoo!\browser\ybrowser.exe
G:\Documents and Settings\Paul & Lynn\Desktop\Highjack this .exe\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - G:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - G:\Program Files\Yahoo!\NAV\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "G:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe G:\WINDOWS\system32\wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Motive SmartBridge] G:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] G:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] G:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] G:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [NavRegReminder] "G:\WINDOWS\temp\NavBrowser.exe" /r /i "G:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\RunServices: [DJSNetCN] G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] H:\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = G:\Program Files\BT Home Hub\Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155391918109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18A6EAC3-B0B9-4D73-B010-79533893A3C2}: NameServer = 85.255.116.85,85.255.112.147
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - G:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - G:\WINDOWS\system32\YPCSER~1.EXE

illukka
2006-09-03, 21:42
hi

good work there

First download ewido anti-spyware from HERE (http://www.ewido.net/en/download/) and save that file to your desktop.
Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete you will need to run ewido and update the definition files.
On the main screen select the "Update" icon then click "Start Update". The update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Un-Select "Only if threats were found"

Close ewido anti-spyware


next, open hiajckthis, click do a system scan only
checkmark these entries:
O17 - HKLM\System\CCS\Services\Tcpip\..\{18A6EAC3-B0B9-4D73-B010-79533893A3C2}: NameServer = 85.255.116.85,85.255.112.147
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.85 85.255.112.147

then close all other windows and programs except for hiajckthis, including the one you're viewing now, and click fix checked

next: reboot your computer into Safe Mode (http://www.bleepingcomputer.com/forums/index.php?showtutorial=61).
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan"
Ewido will now begin the scanning process, be patient this may take a little time.
Ewido will list any infections found on the left hand side. When the scan has finished, it should automatically set the recommended action to Quarantine--if not click on Recommended Action and set it there. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close ewido.


reboot back to normal mode, do another scan with hiajckthis, post its log here, also post the contents of the ewido report
NOTE: the ewido report may be large, to include everything in it use several posts if necessary

good luck

Paul Rawlings
2006-09-03, 23:07
Hi

Thanks again for helping.

I have done as you asked and will copy the hijack this file first and then the ewido log.

Logfile of HijackThis v1.99.1
Scan saved at 21:02:00, on 03/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
G:\WINDOWS\System32\smss.exe
G:\WINDOWS\system32\winlogon.exe
G:\WINDOWS\system32\services.exe
G:\WINDOWS\system32\lsass.exe
G:\WINDOWS\system32\svchost.exe
G:\WINDOWS\System32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
G:\WINDOWS\Explorer.EXE
G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
G:\WINDOWS\system32\spoolsv.exe
G:\WINDOWS\SOUNDMAN.EXE
G:\WINDOWS\system32\RUNDLL32.EXE
G:\Program Files\Microsoft IntelliType Pro\type32.exe
G:\Program Files\Microsoft Hardware\Mouse\point32.exe
G:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
G:\Program Files\btbb_wcm\McciTrayApp.exe
G:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
G:\PROGRA~1\Yahoo!\YOP\yop.exe
G:\Program Files\Common Files\Symantec Shared\ccApp.exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
G:\Program Files\ewido anti-spyware 4.0\ewido.exe
H:\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
G:\Program Files\Messenger\msmsgs.exe
G:\PROGRA~1\Yahoo!\browser\ycommon.exe
G:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
G:\Program Files\BT Home Hub\Help\bin\mpbtn.exe
G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
G:\Program Files\ewido anti-spyware 4.0\guard.exe
G:\Program Files\Yahoo!\NAV\navapsvc.exe
G:\PROGRA~1\Yahoo!\YOP\secstat.exe
G:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
G:\WINDOWS\system32\nvsvc32.exe
G:\WINDOWS\system32\svchost.exe
G:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
G:\WINDOWS\System32\svchost.exe
G:\WINDOWS\system32\wuauclt.exe
G:\Documents and Settings\Paul & Lynn\Desktop\Highjack this .exe\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - H:\SPYBOT~1\SDHelper.dll
O2 - BHO: Norton Personal Firewall - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - G:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - G:\Program Files\Yahoo!\NAV\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - G:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE G:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE G:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "G:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe G:\WINDOWS\system32\wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Motive SmartBridge] G:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] G:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] G:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] G:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "G:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX6400] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX6400" /O6 "USB001" /M "Stylus CX6400"
O4 - HKLM\..\Run: [NavRegReminder] "G:\WINDOWS\temp\NavBrowser.exe" /r /i "G:\WINDOWS\temp\NavLoad.ini"
O4 - HKLM\..\Run: [!ewido] "G:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [DJSNetCN] G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] H:\Ahead\NEROPH~2\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "G:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = G:\Program Files\BT Home Hub\Help\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - H:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - G:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - G:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155391918109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.games.yahoo.com/zylom/activex/zylomloader.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - G:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - G:\Program Files\Yahoo!\NPF\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Licensing Detect Internet Connection (DJSNETCN) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - G:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: WinFast(R) Display Driver Service (NVSvc) - NVIDIA Corporation - G:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Program Files\Yahoo!\NAV\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - G:\WINDOWS\system32\YPCSER~1.EXE

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 20:57:39 03/09/2006

+ Scan result:



HKLM\SOFTWARE\Classes\Media-Codec.Chl -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\Media-Codec.Chl\CLSID -> Adware.Generic : Cleaned with backup (quarantined).
G:\WINDOWS\system32\csfhn.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
G:\Documents and Settings\Paul & Lynn\Cookies\paul & lynn@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
G:\Documents and Settings\Paul & Lynn\Cookies\paul & lynn@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
G:\Documents and Settings\Paul & Lynn\Cookies\paul & lynn@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
G:\Documents and Settings\Paul & Lynn\Cookies\paul & lynn@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
G:\WINDOWS\system32\dmlbl.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).


::Report end

illukka
2006-09-04, 07:33
hi



again well done :)

enable showing of system and hidden files:
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

remember to rehide them once we're finished, just reverse the instructions above.

then reboot into safe mode

locate and delete the following file:
G:\WINDOWS\system32\{30E6E791-6508-42FA-9438-2D200436557E}.exe<<--this file

reboot back to normal mode

tell me how it goes now, are there still problems ?

Paul Rawlings
2006-09-04, 22:43
Hi

Things look really good at present. I ran spy bot and if was swiftly complete with nothing found. Also Ad aware went thro without freezing whci it did not before but I forgot to mention that.

Your help is very much appreciated and thank you again

Hopefully this should be the end of the present problem.

The tools I downloaded, such as hijack this and ewdio should I keep them in case they are needed in the future or can you suggest what else I could put on the machine to increase my security on the net.

Once again many thanks from a very grateful first timer on ther forum

Paul

illukka
2006-09-05, 20:52
hi

good work there:bigthumb:

there are still a couple of suspects there

enable showing of system and hidden files:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.



Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml
(http://www.pchell.com/support/safemode.shtml)



Search for these files and delete them if found:

G:\WINDOWS\system32\{30E6E791-6508-42FA-9438-2D200436557E}.exe

dont worry if it doesnt exist

reboot back to normal mode

tell me how it goes, are there still problems

Paul Rawlings
2006-09-06, 09:11
Hi

I have followed instructions and the file
G:\WINDOWS\system32\{30E6E791-6508-42FA-9438-2D200436557E}.exe

was not found this time.

Everything seems OK at present.

Should I rehide files and folder etc again or is there something else I have to find?

Over to you

Paul

illukka
2006-09-08, 07:47
hi

rehide system files

lets do an online virus scan to see if there is still something:
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Paul Rawlings
2006-09-08, 12:17
Hi

Your instruction were helpful and clear. I have completed the online scan and the results are posted below:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, September 08, 2006 10:09:55 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/09/2006
Kaspersky Anti-Virus database records: 221744
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 43494
Number of viruses found: 7
Number of infected objects: 48 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:23:12

Infected Object Name / Virus Name / Last Action
G:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-09-08_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
G:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B180C1F.dll Infected: not-a-virus:AdWare.Win32.SBSoft.h skipped
G:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4B977193.exe Infected: not-a-virus:AdWare.Win32.FindSpy.a skipped
G:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\58597389.exe Infected: Trojan.Win32.Puper.bx skipped
G:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\585C1D85.exe Infected: Trojan.Win32.Qhost.hf skipped
G:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5C16016C.exe Infected: not-a-virus:AdWare.Win32.Msnagent.b skipped
G:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
G:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
G:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
G:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
G:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
G:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
G:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
G:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
G:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
G:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
G:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
G:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
G:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
G:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
G:\Documents and Settings\Paul & Lynn\Cookies\index.dat Object is locked skipped
G:\Documents and Settings\Paul & Lynn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
G:\Documents and Settings\Paul & Lynn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
G:\Documents and Settings\Paul & Lynn\Local Settings\History\History.IE5\index.dat Object is locked skipped
G:\Documents and Settings\Paul & Lynn\Local Settings\Temp\bbassistant.log Object is locked skipped
G:\Documents and Settings\Paul & Lynn\Local Settings\Temp\Perflib_Perfdata_160.dat Object is locked skipped
G:\Documents and Settings\Paul & Lynn\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
G:\Documents and Settings\Paul & Lynn\NTUSER.DAT Object is locked skipped
G:\Documents and Settings\Paul & Lynn\ntuser.dat.LOG Object is locked skipped
G:\Documents and Settings\Paul & Lynn\UserData\index.dat Object is locked skipped
G:\Program Files\BT Home Hub\Help\log\mpbtn.log Object is locked skipped
G:\Program Files\BT Home Hub\Help\SmartBridge\AlertFilter.log Object is locked skipped
G:\Program Files\BT Home Hub\Help\SmartBridge\log\httpclient.log Object is locked skipped
G:\Program Files\BT Home Hub\Help\SmartBridge\SBExtHost.log Object is locked skipped
G:\Program Files\BT Home Hub\Help\SmartBridge\SmartBridge.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\eengine\EPERSIST.DAT Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
G:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
G:\Program Files\Yahoo!\NAV\AVApp.log Object is locked skipped
G:\Program Files\Yahoo!\NAV\AVError.log Object is locked skipped
G:\Program Files\Yahoo!\NAV\AVVirus.log Object is locked skipped
G:\Program Files\Yahoo!\NAV\Savrt\0205NAV~.TMP Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000004.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000009.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000011.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000016.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000019.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000024.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000033.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000038.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000042.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000047.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000051.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000056.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000059.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000064.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000067.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000072.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000082.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP1\A0000087.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000090.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000095.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000116.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000121.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000124.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000129.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000131.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000136.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000139.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000145.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000148.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000153.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0000158.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0001158.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0001163.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0001166.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0001171.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0001173.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0001178.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0001184.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0001189.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0001201.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP2\A0001206.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP3\A0001250.exe Infected: Trojan-Downloader.Win32.Agent.uj skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP3\A0001251.exe Infected: Trojan.Win32.Small.fb skipped
G:\System Volume Information\_restore{033E7DE5-9452-4F91-B519-7EFBC5CCB83F}\RP5\change.log Object is locked skipped
G:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
G:\WINDOWS\SchedLgU.Txt Object is locked skipped
G:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
G:\WINDOWS\Sti_Trace.log Object is locked skipped
G:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
G:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
G:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
G:\WINDOWS\system32\config\default Object is locked skipped
G:\WINDOWS\system32\config\default.LOG Object is locked skipped
G:\WINDOWS\system32\config\SAM Object is locked skipped
G:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
G:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
G:\WINDOWS\system32\config\SECURITY Object is locked skipped
G:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
G:\WINDOWS\system32\config\software Object is locked skipped
G:\WINDOWS\system32\config\software.LOG Object is locked skipped
G:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
G:\WINDOWS\system32\config\system Object is locked skipped
G:\WINDOWS\system32\config\system.LOG Object is locked skipped
G:\WINDOWS\system32\h323log.txt Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
G:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
G:\WINDOWS\wiadebug.log Object is locked skipped
G:\WINDOWS\wiaservc.log Object is locked skipped
G:\WINDOWS\WindowsUpdate.log Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Thanks for your continued assistance.

Paul

illukka
2006-09-08, 13:02
hi

ok you're clean now, no active infections found.

just empty nortons quarantine, and then:


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Managing Windows Millenium System Restore (http://www.bleepingcomputer.com/forums/tutorial63.html)

or

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above


Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topict405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/forums/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers (http://www.bleepingcomputer.com/forums/tutorial43.html)


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/tutorial48.html)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

IE/Spyad (https://netfiles.uiuc.edu/ehowes/www/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

also remember to keep your java updated, see this topic for instructions
http://forums.spybot.info/showpost.php?p=12880&postcount=2

Paul Rawlings
2006-09-09, 18:45
Hi

That really is great news to know that I am clear again:D: . That of course is only because of your expert help which I really have appreciated receiving.

Your instructions have been very clear and I have had no trouble in following them.

I have done as you suggested and cleared my quarantine folder as well as setting a new system restore point.

I already have Spy bot and Ad aware but will visit the other links that you have suggested.

Thanks for all your help

I have thoroughly enjoyed learning

Regards

Paul

illukka
2006-09-09, 22:50
hi

thx for the kind words

as the problem here is resolved this topic will now be archived.
contact the forums staff to get it reopened, this applies to the origial poster only
everyone else with similar problems start a new topic

glad we could help :)