Spybot S&D and Adaware disabled (RESOLVED)

**dregsboy** · 31-12-2005

Hi Vincent,

As yesterday, I could only access my computer in SAFE MODE. I am pleased to hear that the message I got from Fixwareout was nothing to be concerned about.

I ran EWIDO and got the following log:

12:38 PM 31/12/2005---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:38:05 PM, 31/12/2005
+ Report-Checksum: 3DEF9BA3

+ Scan result:

[172] VM_00B40000 -> Downloader.Agent.uj : Error during cleaning
[192] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning
[624] VM_00840000 -> Downloader.Agent.uj : Error during cleaning
[316] VM_00840000 -> Downloader.Agent.uj : Error during cleaning
C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cou nt3.jar-78d6a057-419ecf49.zip/Beyond.class -> Not-A-Virus.Exploit.Java.Bytverify : Cleaned with backup
C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cou nt3.jar-78d6a057-419ecf49.zip/BlackBox.class -> Not-A-Virus.Exploit.Java.Bytverify : Cleaned with backup
C:\Documents and Settings\user\Cookies\user@bigpond.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\SVNBYWXD\mm[1].js -> Spyware.Chitika : Cleaned with backup

::Report End

As you can see, Downloader.Agent.uj is still there.

I downloaded and ran the ActiveScan from panda and got the following report (the minor difficulty with this was that, in this mode, the window did not show the full content and I cannot resize it. So I was only able to click buttons that I could see; at the end there was a button next to the 'Save Report' button that might have offered cleaning or something but I couldn't see it all so I didn't click it.):

Incident Status Location

Virus:Trj/Eiro.O Disinfected Operating system
Adware:adware/ncase Not desinfected C:\TEMP\salmau.dat
Adware:adware/ideskbar Not desinfected C:\WINNT\SYSTEM32\howiper.exe
Adware:adware/sheldor Not desinfected C:\WINNT\SYSTEM32\windll.ini
Spyware:spyware/altnet Not desinfected Windows Registry

When I clicked on the link in the report to information about Eiro.O then IE closed down due to an error; it took four attempts to get it back.

Finally, I ran HJT and this is the log:

Logfile of HijackThis v1.99.1
Scan saved at 12

26 PM, on 31/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ewido anti-malware\SecuritySuite.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optusnet.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127528074035
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

It seems we are making progress. My best wishes to you for the New Year - I hope that whatever celebrations (if any) you have planned for tonight go off without a hitch.

Regards, Dan

**VopThis** · 31-12-2005

Clean out your Java cache using instructions provided here:
http://www.java.com/en/download/help/5000020300.xml

Download and run the freeware system optimization and privacy tool:
CCleaner (Crap Cleaner)
http://www.ccleaner.com/ccdownload.asp

It removes unnecessary junk from your computer allowing it to run more efficiently and securely.

You may get more optimal cleaning if you run it in SAFEMODE – while rebooting and at the beep keep tapping the F8 key.

Once installed, you will notice an Online Help link at the bottom left. Updates checking link is provided at the bottom right. When first run in its DEFAULT opening setup – Cleaner button (Windows TAB is selected) , click the ‘Analyse’ button. Thereafter, click ‘Run Cleaner’ after you have reviewed what it proposes to clean.

The free version of Activescan is a detect only scan. Please delete the following FILES manually in SAFE MODE:
C:\TEMP\salmau.dat
C:\WINNT\SYSTEM32\howiper.exe
C:\WINNT\SYSTEM32\windll.ini

REBOOT.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (if available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

**dregsboy** · 01-01-2006

Vincent,

First up, I thought I was going to have a problem doing any of what you suggested because, in SAFE MODE, I could not get the Java Control Panel to open - it flicked briefly on to the screen and disappeared each time. Finally, I started the Last Known Good Configuration and managed to do as you instructed. In addition, I uninstalled it and reinstalled it.

The Kaspersky report from the scan is FOURTEEN times too big to post!!! There is pages and pages of Norton Antivirus/Quarantine/... stuff. I have posted the first page to give you an idea. At the end of the post I have posted the only entries that are not from the Norton files. If you need all the other stuff, let me know and I will break it down into 20000 character chunks.

KASPERSKY ON-LINE SCANNER REPORT
Sunday, January 01, 2006 16:34:42
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/01/2006
Kaspersky Anti-Virus database records: 168486
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 38732
Number of viruses found: 57
Number of infected objects: 2415
Number of suspicious objects: 202
Duration of the scan process: 3621 sec

Infected Object Name - Virus Name
C:\Program Files\Norton AntiVirus\Quarantine\00296ABD.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\00433AA0.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\006D5C72.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\007E2E60.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\00851B73.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton AntiVirus\Quarantine\00896604.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\00A85031.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\00CB7A06.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton AntiVirus\Quarantine\00CD5F0E Infected: Trojan.Java.ClassLoader.i
C:\Program Files\Norton AntiVirus\Quarantine\00D70558.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\00FB5330.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\00FB5330.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\00FB5330.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\00FB5330.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\00FB5330.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\011444F9.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\011444F9.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\011444F9.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\011444F9.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\011F79BA Infected: Trojan.Java.ClassLoader.i
C:\Program Files\Norton AntiVirus\Quarantine\012323B6 Infected: Trojan.Java.ClassLoader.k
C:\Program Files\Norton AntiVirus\Quarantine\012C48FA.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\01307A2C.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\01361FA0 Infected: Trojan.Java.ClassLoader.h
C:\Program Files\Norton AntiVirus\Quarantine\01486A07 Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\016312BD.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\016A66B6.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\017C578E.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\017C578E.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\017C578E.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\017C578E.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\017C578E.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\019B5C80.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\01AF4A8B.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\01B11F5E.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\01BF1C79.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\01BF1C79.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\01BF1C79.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\01BF1C79.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenStream.d
C:\Program Files\Norton AntiVirus\Quarantine\01BF1C79.zip Infected: Trojan-Downloader.Java.OpenStream.d
C:\Program Files\Norton AntiVirus\Quarantine\01C414F8.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\01C414F8.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\01C414F8.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\01C414F8.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\01CF6E67.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\01CF6E67.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\01CF6E67.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\01CF6E67.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\01CF6E67.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\01DB0A0D.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\01E73ECE.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\01F22FF4.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\01F22FF4.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\01F22FF4.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\01F22FF4.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\01F22FF4.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\02062BDE.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\020E36A3.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\021927C8.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\021E2A9F.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton AntiVirus\Quarantine\022325BE.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\022F5A7F.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\02304DAF.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\0236190C.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\023C0270.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\0244499A.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\02466AFA.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\024E478F.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\025068F0.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\02527622.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\026C4606.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\02711567.zip/Jvb.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\02711567.zip/MyFunction.class Infected: Trojan-Dropper.Java.Small.c
C:\Program Files\Norton AntiVirus\Quarantine\02711567.zip/MainApp.class Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\02711567.zip Infected: Trojan.Java.ClassLoader.f
C:\Program Files\Norton AntiVirus\Quarantine\02796DF7.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\02836BEC.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\02841E21.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0327516E.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\033761DD Infected: Trojan.Java.ClassLoader.k
C:\Program Files\Norton AntiVirus\Quarantine\033825A6.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\034F4B8D.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\034F4B8D.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\034F4B8D.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\034F4B8D.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\034F4B8D.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\03535EE3.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton AntiVirus\Quarantine\037A6D5E.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\03826909.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\0387154F.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\038F10FB.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\038F1673 Infected: Trojan.Java.ClassLoader.ah
C:\Program Files\Norton AntiVirus\Quarantine\0397673D.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\03A106EC.html Infected: Trojan-Downloader.JS.Weis.b
C:\Program Files\Norton AntiVirus\Quarantine\03A7392B.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\03B845ED.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\03BB2388.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\03E611BB.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\03EE5292.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\03FE2480.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\0410672A.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\041F01CC Infected: Trojan.Java.ClassLoader.i
C:\Program Files\Norton AntiVirus\Quarantine\044542D2 Infected: Trojan.Java.ClassLoader.k
C:\Program Files\Norton AntiVirus\Quarantine\046100D0.class Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Program Files\Norton AntiVirus\Quarantine\047B50B4.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\049E433B.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\04C21114.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\04C21114.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\04C21114.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\04C21114.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\04C21114.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\04F306DE.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\050F2232 Infected: Trojan.Java.ClassLoader.i
C:\Program Files\Norton AntiVirus\Quarantine\052F0935.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\052F0935.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\052F0935.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\052F0935.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\0531249A.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\05417688.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\0552330B.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton AntiVirus\Quarantine\05557272.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\0593102E.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\0593102E.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\0593102E.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\0593102E.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\0593102E.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\05A570B4.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\05A570B4.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\05A570B4.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\05A570B4.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\0610363A.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\065B7BE8.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\068D2ECF.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\06972CC4.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\06977D03.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\06AD61EF.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton AntiVirus\Quarantine\06D944BB.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\06D944BB.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\06D944BB.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\06D944BB.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\06D944BB.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\07062730.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\07062730.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\07062730.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\07062730.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\07A83679.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton AntiVirus\Quarantine\080210D3 Infected: Trojan.Java.ClassLoader.k
C:\Program Files\Norton AntiVirus\Quarantine\08186E02.zip/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\08186E02.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\08186E02.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\08186E02.zip Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Program Files\Norton AntiVirus\Quarantine\08590273.html Infected: Trojan-Downloader.JS.Weis.b
C:\Program Files\Norton AntiVirus\Quarantine\087247D7 Infected: Trojan.Java.ClassLoader.d
C:\Program Files\Norton AntiVirus\Quarantine\08867B28 Infected: Trojan.Java.ClassLoader.i
C:\Program Files\Norton AntiVirus\Quarantine\08B960AB.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\08B960AB.zip/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Program Files\Norton AntiVirus\Quarantine\08B960AB.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\08B960AB.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v

....THEN THE SAME STUFF FOR 110 PAGES IN WORD UNTIL.....

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7F3402F7.tmp Infected: Trojan.Java.ClassLoader.ai
C:\Program Files\Yahoo!\YPSR\Quarantine\20050902181146.zip/WINNT/system32/drivers/etc/hosts Infected: Trojan.Win32.Qhost.a
C:\Program Files\Yahoo!\YPSR\Quarantine\20050902181146.zip Infected: Trojan.Win32.Qhost.a
C:\Program Files\Yahoo!\YPSR\Quarantine\20050907210315.zip/msmsgs.exe Suspicious: Password-protected-EXE
C:\Program Files\Yahoo!\YPSR\Quarantine\20050907210315.zip Suspicious: Password-protected-EXE
C:\Program Files\Yahoo!\YPSR\Quarantine\20051227114125.zip/WINNT/system32/drivers/etc/hosts Infected: Trojan.Win32.Qhost.a
C:\Program Files\Yahoo!\YPSR\Quarantine\20051227114125.zip Infected: Trojan.Win32.Qhost.a
C:\unzipped\hijackthis\backups\backup-20051227-144543-649.dll Infected: Trojan.Win32.Agent.md
C:\WINNT\system32\ogkhyneg.cth Infected: Trojan.Win32.Agent.md

Scan process completed.

Does this all mean that my anti-virus programs have viruses??

Regards, Dan

**VopThis** · 01-01-2006

Does this all mean that my anti-virus programs have viruses??

It means that certain apps have a lot of garbage in the quarantine (decontamination/holding) areas. Go into those quarantine areas and delete the content found there. Your PC appears to have been quite the malware battleground by virtue of what has accumulated in the quarantine areas.

For example, in Norton AV go to 'Reports'>'quarantine items'>view report and delete the quarantine items found listed.

Cleaning up the cache and temporary file areas may help give your PC new vigor and better stability (less reinfection content potential). There were certainly a lot of JAVA based infections evident.

Delete the following non-quarantine item listed by Kaspersky (in SAFE MODE, if necessary):
C:\WINNT\system32\ogkhyneg.cth

I will have further suggestions to offer tomorrow once I have completely reviewed new information that research has brought to light.

Post your latest HJT log and any other currently relevant feedback observations.

**VopThis** · 01-01-2006

As promised, here is an additional assessment scan that you should perform:

(BETA Rootkit Elimination Technology):
Note: The F-Secure BlackLight Beta only works on 32-bit Windows 2000, Windows XP and Windows 2003 Server. The current F-Secure BlackLight beta does not work on Windows NT, 95, 98, ME, or 64-bit Windows.

Please print out these instructions as you should have all open windows and programs closed when running the scan.

Step 1.
==========
- Please download F-Secure's trial Blacklight from here
- Print out the help page for guidance. It will be found here
- Click the "I Accept" button at the license agreement
- Click the "Download" button to start the download
- Save it to your Desktop

Step 2.
==========
- Double-click the blbeta.exe file on your Desktop and select ‘Run’.
- Select the "I Accept the agreement" at the license agreement, then click "Next"
- Make sure "Scan through Windows Explorer (Recommended)" is selected\checked (if asked)
- Make sure all open programs and windows are closed (including this IE window) before clicking the "Scan" button
- Click "Scan

- When the animated graphics, in the bottom right-hand corner, disappears, click "Close" – VERY IMPORTANT: Do not proceed beyond this point on the initial first assessment – this is BETA software – need to proceed carefully

- A text log file will appear on your Desktop when the scan is complete. It will start with fsbl-xxxxxx.txt (ie: fsbl-20051017165931.log)
- Paste the contents of that log back here.

**dregsboy** · 02-01-2006

Vincent,

Followed all instructions (except printing out stuff because my computer will no longer recognise my printer) and here is the Blacklight log:

01/02/06 14:10:09 [Info]: BlackLight Engine 1.0.30 initialized
01/02/06 14:10:09 [Info]: OS: 5.0 build 2195 (Service Pack 4)
01/02/06 14:10:10 [Note]: 7019 4
01/02/06 14:10:10 [Note]: 7005 0
01/02/06 14:10:38 [Note]: 7006 0
01/02/06 14:10:38 [Note]: 7011 1276
01/02/06 14:10:39 [Note]: FSRAW library version 1.7.1014
01/02/06 14:11:05 [Info]: Hidden file: C:\WINNT\system32\wbem\wbemtest.exe
01/02/06 14:11:05 [Note]: 10002 1
01/02/06 14:11:07 [Info]: Hidden file: C:\WINNT\system32\filesafer23.exe
01/02/06 14:11:07 [Note]: 10002 1
01/02/06 14:11:10 [Info]: Hidden file: C:\WINNT\system32\sphlp32.exe
01/02/06 14:11:11 [Note]: 10002 1
01/02/06 14:11:12 [Info]: Hidden file: C:\WINNT\system32\csnjg.exe
01/02/06 14:11:12 [Note]: 7002 32
01/02/06 14:11:12 [Note]: 7003 1
01/02/06 14:11:12 [Note]: 10002 1
01/02/06 14:11:14 [Info]: Hidden file: C:\WINNT\system32\pppcgm.exe
01/02/06 14:11:14 [Note]: 10002 1
01/02/06 14:11:14 [Info]: Hidden file: C:\WINNT\system32\favset.exe
01/02/06 14:11:14 [Note]: 10002 1
01/02/06 14:11:41 [Note]: 7007 0

I hope there is something here that shouldn't be.

Regards, Dan

**VopThis** · 02-01-2006

Re-run the Blacklight scan after carefully reading the notes and instructions, here:
http://www.f-secure.com/blacklight/help/

F-Secure BlackLight found hidden items! What should I do?
If your computer has actually been hacked, removing the hidden items might not be sufficient. Even after a careful clean up the hacker might still be able to access your computer after it has been compromised once. The removed malware may have changed the system in a way that is impossible to detect or restore. An added or changed user right is a typical example of such changes. Formatting all hard disks and re-installing the computer is the only foolproof way to eliminate this risk.

If a full re-installation is not an [IMMEDIATE] option, removing the necessary hidden items can help in some situations.

You should always remember that not all hidden items BlackLight finds are necessarily malicious. In some cases, removing or renaming an important file could render the computer unusable.

Research all found items in Google in case any found items have a legitimately known purpose or try submitting them to JOTTI: http://virusscan.jotti.org/ for their evaluation and immediate feedback.

In your case, the research evidence, a similar incidence, and others have concluded that the following items are likely all bad (with a high degree of certainty):

[sample Blacklight log] http://www.short-media.com/forum/sho...2&postcount=16
C:\WINDOWS\SYSTEM32\filesafer23.exe.ren
C:\WINDOWS\SYSTEM32\sphlp32.exe.ren
C:\WINDOWS\SYSTEM32\csqnt.exe.ren (random variation of csnjg.exe? – one exact Panda Activescan match item found in Google)
C:\WINDOWS\SYSTEM32\pppcgm.exe.ren
C:\WINDOWS\SYSTEM32\favset.exe.ren

[other]
C:\WINDOWS\SYSTEM32\howiper.exe.ren (also previously found on your PC)
C:\WINDOWS\SYSTEM32\idemlog.exe.ren

If any items show in blacklite rename them except for wbemtest.exe"
Do not rename "wbemtest.exe" its a KNOWN windows file
The tool will ask if you want to reboot (restart) choose yes.
Note: some files may be randomly named files and may turn up with a slightly different name in subsequent scans.

After you have rebooted post back with blacklite’s log (pattern: fsbl-xxxxxx.txt), it will be found in the same folder/area as the program.

Let us know if your PC'c circumstances have now improved.

**dregsboy** · 03-01-2006

Vincent,

My PC's circumstances have improved dramatically; that Blacklight is certainly effective!

While I remember, I didn't see your post #14 until today; I just scrolled to last post yesterday so I missed it. I carried out its instructions today.

I can now start my PC in normal mode. It still takes a lot longer than it used to, but at least I can get into it. I ran Blacklight again and here is the log:

01/03/06 09:41:16 [Info]: BlackLight Engine 1.0.30 initialized
01/03/06 09:41:16 [Info]: OS: 5.0 build 2195 (Service Pack 4)
01/03/06 09:41:16 [Note]: 7019 4
01/03/06 09:41:16 [Note]: 7005 0
01/03/06 09:41:19 [Note]: 7006 0
01/03/06 09:41:19 [Note]: 7011 1204
01/03/06 09:41:20 [Note]: FSRAW library version 1.7.1014
01/03/06 09:42:01 [Note]: 7007 0

I ran HJT and this is the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:06:37 AM, on 3/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\dla\tfswctrl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\cidaemon.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.bigpond.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.optusnet.com.au/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [dla] C:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127528074035
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www.symantecstore.com/v2.0-img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by101fd.bay101.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I tried to run EWIDO - I downloaded the update and started a scan. Unfortunately, at different points during different attempts (including before a scan would start) I got the message that SecuritySuite.e.exe had generated errors and would close, so I am unable to post that log.

I ran NoAdware (I know you don't recommend it) and it found 33 Registry problems - mainly to do with CWS, W32hijacker, and Morpheus. It does not offer a log so I deleted what it had found.

I had to reinstall Ad-Aware and it found one Registry problem and deleted it.

The website (short-media.com) that you directed me to, contained some advice from one of the professionals to install a different browser - Firefox or Opera - and also some other software to protect my computer. Do you have an opinion on this? You have been so helpful and I would welcome your advice.

Thank you.

Regards, Dan.

**VopThis** · 03-01-2006

My PC's circumstances have improved dramatically

That is very good to hear.

The good news - your HJT looks clean. The not-so-good news - Ewido continues to choke on something it doesn't like. And that is not characteristic of Ewido. Be very mindful of how deeply compromised your PC has been and may continue to be because of such potentially continuing ' hidden issues'. You may need to decide to reinstall from scratch in order to get a conclusive resolution for any continuing issues.

NoAdware - In my opinion, most such iffy and more obscure products are about creating a need for their product at all cost (through FUD - fear, uncertainty, and doubt). There are better products and tools out there already adequately covering the important infection issues - you really don't need this one. It is not likely going to make much of a substantive operational difference.

I would re-run Kaspersky to verify your cleanup of the quarantine areas.

Try running the following tool as a near alternate for Ewido:

Download (the free version), install, update, and run A Squared scanning tool (strong tool against Trojans):
http://www.emsisoft.com/en/software/free

Post any available log (IMPORTANT FEEDBACK) - do not fix any 'riskware' items (in particular) unless you understand why you are fixing those items. Indicate which found items remain to be fixed.

You may as well try these additional scans for peace-of-mind:

Bit Defender:
http://www.bitdefender.com/scan/licence.php
Turn off any Popup Blockers before accessing the site.
Save the log and post it here. Let it clean/cure/delete all it finds.

You might have to hit refresh if it reports a failed download.

Computer Associates:
http://www3.ca.com/virusinfo/virusscan.aspx

advice from one of the professionals to install a different browser - Firefox or Opera - and also some other software to protect my computer. Do you have an opinion on this?

To help avoid serious infection again, please look carefully at this post for some excellent preventative measures. Prevention must be made the first line of defense to improve upon.

ONCE your are as clean as possible - As a final cleanup step, it is often advisable to Reset and Re-enable your System Restore to remove any bad files that may have been backed up by Windows . The files in System Restore are protected to prevent any programs changing them. And, this is the only complete way to clean these files: (You will lose all previous restore points which could likely be infected, anyway.)

PLEASE NOTE: you will need to log into your computer with an account that has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

c:\System Volume Information\_restore….

To Turn OFF System Restore.

Click the Start button.
Right-click My Computer, and then click Properties.
On the System Restore tab, check Turn off System Restore or Turn off System Restore on all drives.
Click Apply.

To Turn ON System Restore.

Follow the steps in the previous section, but in step 3, uncheck Turn off System Restore or Turn off System Restore on all drives. Then click OK.
Create new System Restore points.

(Windows ME)

c:\_RESTORE\TEMP\….

See the following link for instructions:
http://service1.symantec.com/SUPPORT...rc=sec_doc_nam

To reduce the re-infection potential for malware and protect your PC against spyware, here are a few helpful suggestions:

Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft . This will patch many of the security holes through which attackers can gain access to your computer . You CANNOT complete this update using an alternate browser – you must use Internet Explorer.
http://v5.windowsupdate.microsoft.com/v5co...t.aspx?ln=en-us
http://www.microsoft.com/windows/ie/default.asp
Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching (using only real-time AV tool one at a time), there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com/eng/avast_4_home.html
In addition to using Ad-aware consider using another free malware scanning/removal program :
Adaware SE: http://www.download.com/Ad-Aware-SE-Person...ubj=dl&tag=top5
Spybot S&D: http://www.download.com/Spybot-Search-Dest...tml?tag=lst-0-1
MS Antispyware beta: http://www.microsoft.com/athome/security/s...re/default.mspx
Consider using a free firewall if you are not already using one (use only one firewall at a time – normally you will need to disable the MS firewall). Some good free ones (for incoming and added outgoing traffic protection) are:
Kerio Personal Firewall: http://www.sunbelt-software.com/Kerio.cfm
*** After 30 days, Kerio shuts down selected features, but will continue to run in 'free' mode.
Zone Alarm: http://www.zonelabs.com/store/content/company/products/znalm/comparison.jsp?lid=ho_za

It is not a bad idea to also consider using a Router/Hardware firewall device where you have a High-Speed Internet access connection. A software firewall may occasionally need to be disabled or it gets/remains disabled by someone or something. Such an added layer of security consistency has a lot of merit to it.
Consider using an alternate free browser for general web surfing but you must use IE for windows updates.
Mozilla Firefox: http://www.mozilla.org/products/firefox/
Consider increasing your browser security by using these programs:
SpywareGuard will help protect your homepage from being hijacked: http://www.javacoolsoftware.com/spywareguard.html
SpywareBlaster will increase browser protection by blocking access to thousands of known malware sites by adding them to IE's restricted sites zone. It essentially blocks known- bad ActiveX program items from being installed or running on your computer. Download it here: http://www.javacoolsoftware.com/spywareblaster.html
- If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/
- IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
  https://netfiles.uiuc.edu/ehowes/www/resource.htm
A HOSTS file can block Internet access to thousands of known-bad sites by not allowing you any easy browser access to such sites knowingly or unknowingly. Use HJT to determine if a current HOSTS file exists and any contents therein:
- Run the HiJackThis tool and select ‘Open the Misc Tools section’.
- Next select ‘Open host file manager’ button.
- Use the ‘Open in Notepad’ button in XP/W2K or use WORDPAD if necessary [type wordpad.exe in the RUN box (Start>Run)] and load the FILE PATH identified in HJT.
- Go to http://www.mvps.org/winhelp2002/hosts.txt . # Read the initial instructions #. Copy and paste (append or replace) the RELEVANT host address entry contents of that file into Notepad or Wordpad and save the updated file contents.
  
  #start of lines added by WinHelp2002
  # [Misc A - Z]
  127.0.0.1 phpadsnew.abac.com
  127.0.0.1 a.abnad.net
  127.0.0.1 e.abnad.net
  127.0.0.1 www.accoona.com #[Adware-Accoona][Adware.Atoolb][Panda.Accoona]
  .
  .
  .
  #end of lines added by WinHelp2002

*Remember just like your primary anti-virus software, it is important to:
Keep all of these programs up-to-date, and

Use them on a regular basis.

**dregsboy** · 04-01-2006

Vincent,

It feels like my computer is probably the best it can be without a complete formatting and re-installation. I realise, however, you may yet correct that view!

I have a few observations to report; I'm not sure how useful they will be because, in comparison to the state this computer has been in, they feel quite insignificant.

Firstly, I noticed that when I initially downloaded EWIDO and tried to get into NORMAL MODE, it would load (or at least the screen would indicate) things in a different order i.e. the desktop icons would appear before the icons in the information area of the taskbar, when previously it was the other way around.

Today, I uninstalled EWIDO then reinstalled it and the loading order went back to what is normal for this machine. When I clicked 'Update' in EWIDO the window immediately closed. When I opened EWIDO the second time it updated and scanned without a problem.

When I ran Kaspersky, the progress indicator (normally a number of blue blocks within a window indicating a percentage) reached the end of its window at 95% and started a second line of blocks for the remaining 5%! I have never seen that before and I don't think it is a particularly good sign. I also went to go to another website and clicked the 'History' button to find it and, as soon as I had done that, the IE window reduced in size to about one-third - maximising it wouldn't work and nor could I resize it.

A Squared found only a cookie related to my broadband provider.

I downloaded Bitdefender and started a scan but it indicated that the scan was going to take in excess of three hours!! During that time I could not do anything else on the machine, so I aborted the scan.

I downloaded the virus scan from Computer Associates and it worked well. It claimed to have found SPAlert.chm in WINNT\Help\... but a search revealed nothing so I was unable to delete it if it was there.

I could not do System Restore because that function is not installed on my computer and I don't have the installation CD to install it. (I have the authority, just not the software.)

I followed all your other instructions re: Mozilla, SpywareGuard, SpywareBlaster and opening a 'HOSTS' file. The websites you directed me to were certainly eye-openers; I followed advice on a number of them hence this post is relatively late - it has taken me all day to get to this position. I now feel that my computer is as protected as I can make it.

There is still a suspicious flicker of the screen when the computer is asked to do something - I am concerned that the hideous virus that I had/have is still lurking in there somewhere but at least I can use it (for now!)

I must record my gratitude to you, especially, and others of your ilk who are prepared to devote time and expertise to helping distressed computer novices like myself. These last 10 days or so have been a salutary lesson for me and, I hope, for some of the others who have viewed these postings. I truly thought that, with a respected AV program and a number of malware detectors, I was as protected as I needed to be on the Net. I am sure I am not alone in thinking that.

I have included the latest of all the logs mentioned in this post:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:23:42 PM, 4/01/2006
+ Report-Checksum: 3930BF7A

+ Scan result:

:mozilla.39:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\w74lok7n.default\coo kies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq35.tmp -> Spyware.Cookie.Com : Cleaned with backup

::Report End

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, January 04, 2006 09:51:57
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 3/01/2006
Kaspersky Anti-Virus database records: 168879
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 36768
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 4477 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

ASquared:
Filename Diagnosis
C:\Documents and Settings\user\Cookies\user@com[2].txt Trace.TrackingCookie

Again, Vincent, my sincere thanks. I shall continue to view the postings on this site and, when my studies are over and I have found work, I hope to make a donation that is representative of the help I have received.

Regards, Dan.

Spybot S&D and Adaware disabled (RESOLVED)

Re: Spybot S&D and Adaware disabled

Similar Threads

M$ recomends AdAware & SpyBot

Adaware, Spybot S&D done, now what?

Not able to download Adaware or Spybot updates

Adaware SE & Spybot S & D Updates

AdAware; Spybot; etc. Updates