I had Norton Internet Security 2006 installed (including Norton Antivirus), and due to some problem created when I accidentally left my system clock set back a year ago or so, it started complaining that it was no longer activated.

Now it seems like my computer has a virus. Once I noticed some strange things happening, I tried to diagnose the problem. That's when I decided something was definately wrong. Whatever it is, it seems to be deleting my anti-virus software as well as Spybot.

The main .exe files for NAV are no longer there. SpybotSD.exe is also missing. If I open the directory in one window and reinstall it, I can momentarily see the .exe file before it disappears again. In fact, if I rename any random file to "SpybotSD.exe", it instantly gets deleted.

I am unable to install AVG or Avast. They too get deleted.

I was able to put a working copy of Spybot onto a flash card with a write protection lock. If I ran it as SpybotSD.exe, nothing happened. When I renamed it, it ran, but ultimately didn't find anything significant (a few tracking cookies).

Also, the programs that can run (such as Ad-aware) are unable to connect to their servers for updates. Outlook is also unable to connect to download email. Web browsers work fine though.

Here is my HijackThis.log:

Logfile of HijackThis v1.99.1
Scan saved at 5:20:54 PM, on 3/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Drivers\Logitech\iTouch\iTouch\iTouch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Drivers\Logitech\MouseWare\MouseWare\system\em_ exec.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Utility\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Word Processing\Acrobat Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utility\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Drivers\Logitech\iTouch\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Utility\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [avast!] C:\Utility\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [AWMON] "C:\Utility\Ad-Aware SE Professional\Ad-Watch.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word - res://C:\Utility\OmniPage Pro\PdfCnv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Internet\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Internet\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117165599252
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...24/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C253BA57-2434-4ACD-8B87-F3443DC4CF5B}: NameServer = 207.69.188.185,207.69.188.186
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


I'm getting pretty close to giving up and reformatting.... Any help would be greatly appreciated.

Thanks -

Will

Welcome to DAL,

Hope we can do you some good, if you have to, download the scan tools to an uninfected computer and burn to CD and bring to your computer and run scans like that hopefully.


For the time being:


Please disable AdWatch, as it may hinder the removal of some entries. You can re-enable it after you're clean.
To disable AdWatch:

Open AdAware SE.
Go to AdWatch User Interface.
Go to Tools and Preferences.
At the bottom of the screen you will see 2 options Active and Automatic.
Active: This will turn Ad-Watch On\Off without closing it
Automatic: Suspicious activity will be blocked automatically
Uncheck both options. You can enable these after resolving your problem.




Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Post the log Ewido makes back here please.


Stay with the scanner and remove what it finds unless you know it to be legitimate.

Okay. I've run ewido 3 or 4 times. It keeps popping up with "Infected object found!" message boxes. The first 100 or more are all tracking cookies. So I leave the preform action set to "Remove" and click OK. Somewhere along the lines, ewido eventually crashes as I'm pressing to OK button repeatedly.

So last night I let it run overnight. After 305 minutes (just over 5 hours), the scanner window shows that it completed (100%) and shows 572 infected objects. Do I dare try to press OK up to 572 times and risk crashing (where I get no report and nothing gets cleaned) or should I select "None" and "Perform action with all infections" just to be able to get a report? Or maybe I could tell it to remove all ... with the backup checked could I restore anything I didn't actually want it to remove?

I'll leave ewido running while I wait for input on the best approach.

Thanks.

Ewido has a backup function so do what ever does not crash your computer.


Sounds like it will be a long log and may take two or more posts to post it and that is ok.

Okay... I managed to do a "Fast Computer Scan" last evening from Safe Mode. Here's the full report on that one:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:16:56 AM, 3/26/2006
+ Report-Checksum: F7860484

+ Scan result:

C:\WINDOWS\system32\ldr64.dll -> Downloader.Bagle.af : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@com[2].txt -> TrackingCookie.Com : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@data2.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@downloads-zdnet.com[1].txt -> TrackingCookie.Com : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@e-2dj6wfk4wjajscp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@e-2dj6wgkokgcpkdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@microsofteup.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
D:\Documents and Settings\Will\Cookies\will@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup


::Report End

Then on the complete scan that ran for 5 hours overnight, I told it to remove all problems found. Almost all of the 572 items were tracking cookies, all of which were successfully cleaned. Here's the piece of the report that wasn't:

D:\Documents and Settings\Will\Desktop\Stuff\Programs\Ad-aware\aawsepro105.exe -> Dropper.Delf.fd : Cleaned with backup
D:\Documents and Settings\Will\Desktop\Stuff\Programs\BrainsBreaker \BrainBreaker_v3.1.zip/CORE2000.EXE -> Worm.Finaldo.a : Error during cleaning
D:\Documents and Settings\Will\Desktop\Stuff\Programs\CloneDVD\Clon eDVD2454.exe -> Dropper.Delf.fd : Cleaned with backup
D:\Documents and Settings\Will\Desktop\Stuff\Programs\Kazaa\kmd161_ en.exe -> Adware.Cydoor : Cleaned with backup
D:\Documents and Settings\Will\My Documents\Downloads\ancient evil vga 1.0.zip/ancient evil vga 1.0.exe -> Trojan.Small : Cleaned with backup
D:\Documents and Settings\Will\My Documents\Downloads\Norton Systemworks 2006 Premier Edition.zip/crackfix.exe -> Trojan.BHO.b : Error during cleaning
D:\Old Computer\Drive D\Documents and Settings\Will\Local Settings\Temporary Internet Files\Content.IE5\UXW3YTI5\AktiveSekurity[1].cab/AktiveSekurity.ocx -> Not-A-Virus.VirTool.Win32.Collector : Cleaned with backup
D:\Old Computer\Drive D\Games\BrainsBreaker\CORE2000.EXE -> Worm.Finaldo.a : Cleaned with backup

I found and deleted the files that came up "Error during cleaning". FYI, that ewido run was done under normal Windows mode, not safe mode - is that okay?

I then rebooted. When I tried to reinstall Spybot, the SpybotSD.exe file was immediately deleted again.

Any ideas?

Will

O

Go to the link below and download and install CounterSpy.
Run the scan from safe mode.


http://www.sunbelt-software.com/CounterSpy-Download.cfm


Post the log CounterSpy makes please.





Then reboot normal mode:



www.pandasoftware.com/activescan/

Internet Explorer Required
Please run this online virus scan: ActiveScan

* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)
- Select either Home User or Company
* Click the big Scan Now button
* If/when you get a notice that Panda wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on Local Disks to start the scan
* When the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop and post it back here please and a new hijackthis log as well. Thanks.


We need:

CounterSpy log
Panda scan log
New hijackthis log

Thanks.

Okay - Here we go.

CounterSpy (I didn't see where/how to save a report, so I cut & pasted from the program:

Spyware Scan Details
Start Date: 3/26/2006 4:10:47 PM
End Date: 3/26/2006 6:13:22 PM
Total Time: 2 hrs 2 mins 35 secs

Detected spyware

Adw.Afriz.Downloader Browser Hijacker more information...
Details: Adw.Afriz.Downloader silently travels to porn sites without displaying IE.
Status: Quarantined

Infected files detected
D:\Documents and Settings\Will\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Se curityClassLoader.class-6a4dd64f-77f88d6c.class


KaZaA P2P more information...
Details: Kazaa is a Peer to Peer file sharing application that uses some adware advertising as well as installs a number of thrid party adware software on your computer.
Status: Ignored

Infected files detected
D:\Old Computer\Drive D\Program Files\InstallShield Installation Information\{7D50E972-F2C4-4327-AA79-88FA868A4507}\setup.inx


adrevolver Cookie more information...
Status: Deleted

Infected cookies detected
d:\documents and settings\will\cookies\will@adrevolver[1].txt
d:\documents and settings\will\cookies\will@adrevolver[2].txt


AdsRemote.Scripps.com Cookie more information...
Status: Deleted

Infected cookies detected
d:\documents and settings\will\cookies\will@adsremote.scripps[1].txt


Advertising.com Cookie more information...
Status: Deleted

Infected cookies detected
d:\documents and settings\will\cookies\will@advertising[1].txt


Clickability.com Cookie more information...
Status: Deleted

Infected cookies detected
d:\documents and settings\will\cookies\will@clickability[2].txt


Hitbox.com Cookie more information...
Status: Deleted

Infected cookies detected
d:\documents and settings\will\cookies\will@hitbox[2].txt
d:\documents and settings\will\cookies\will@phg.hitbox[2].txt


QuestionMarket.com Cookie more information...
Status: Deleted

Infected cookies detected
d:\documents and settings\will\cookies\will@questionmarket[1].txt


SuperStats Cookie more information...
Status: Deleted

Infected cookies detected
d:\documents and settings\will\cookies\will@superstats[1].txt


Radar Spy 1.0 Cookie more information...
Status: Deleted

Infected cookies detected
d:\documents and settings\will\cookies\will@tradedoubler[1].txt


ValueClick.com Cookie more information...
Status: Deleted

Infected cookies detected
d:\documents and settings\will\cookies\will@valueclick[1].txt


Zedo Cookie more information...
Status: Deleted

Infected cookies detected
d:\documents and settings\will\cookies\will@zedo[2].txt



Then Pandasoft Active Scan:


Incident Status Location

Virus:W32/Bagle.HX.worm Not disinfected C:\WINDOWS\system32\wintems.exe
Virus:W32/Bagle.HX.worm Not disinfected D:\Documents and Settings\Cathy\Application Data\hidires\hidr.exe
Hacktool:Rootkit/AKill Not disinfected D:\Documents and Settings\Cathy\Application Data\hidires\m_hook.sys
Spyware:Cookie/Maxserving Not disinfected D:\Documents and Settings\Cathy\Application Data\Netscape\NSB\Profiles\rd2hnsc9.default\cookie s.txt[]
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\Cathy\Cookies\cathy@ath.belnk[2].txt
Spyware:Cookie/Atwola Not disinfected D:\Documents and Settings\Cathy\Cookies\cathy@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected D:\Documents and Settings\Cathy\Cookies\cathy@azjmp[1].txt
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\Cathy\Cookies\cathy@belnk[1].txt
Spyware:Cookie/360i Not disinfected D:\Documents and Settings\Cathy\Cookies\cathy@ct.360i[1].txt
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\Cathy\Cookies\cathy@dist.belnk[1].txt
Spyware:Cookie/Errorguard Not disinfected D:\Documents and Settings\Cathy\Cookies\cathy@errorguard[2].txt
Spyware:Cookie/Target Not disinfected D:\Documents and Settings\Cathy\Cookies\cathy@target[1].txt
Spyware:Cookie/Tucows Not disinfected D:\Documents and Settings\Copy of Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[]
Spyware:Cookie/Atwola Not disinfected D:\Documents and Settings\Copy of Will\Cookies\will@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected D:\Documents and Settings\Copy of Will\Cookies\will@belnk[1].txt
Spyware:Cookie/Tucows Not disinfected D:\Documents and Settings\Copy of Will\Cookies\will@tucows[1].txt
Spyware:Cookie/Xiti Not disinfected D:\Documents and Settings\Copy of Will\Cookies\will@xiti[1].txt
Virus:W32/Bagle.IB.worm Not disinfected D:\Documents and Settings\Will\Application Data\hidires\hidr.exe
Hacktool:Rootkit/AKill Not disinfected D:\Documents and Settings\Will\Application Data\hidires\m_hook.sys
Spyware:Cookie/Bfast Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[49124434]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[]
Spyware:Cookie/Server.iad.Liveperson Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[49124434]
Spyware:Cookie/Hitslink Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[]
Spyware:Cookie/WebtrendsLive Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[dcsauhh66pifwz3kt81grbj8d_5p7p]
Spyware:Cookie/Mammamediasolutions Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[]
Spyware:Cookie/WebtrendsLive Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[S146260]
Spyware:Cookie/WebtrendsLive Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[S008-00-11-20-204853-37351]
Spyware:Cookie/WebtrendsLive Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[S153481]
Spyware:Cookie/WebtrendsLive Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[S123612]
Spyware:Cookie/WebtrendsLive Not disinfected D:\Documents and Settings\Will\Application Data\Netscape\NSB\Profiles\zr2mgkuu.default\cookie s.txt[S151323]
Possible Virus. Not disinfected D:\Documents and Settings\Will\Desktop\Stuff\Programs\Alcohol 120%\Alcohol.120.v1.9.5.2802.WinALL.Cracked.FULLY. WORKING-DVT.ZIP[crack.exe]
Possible Virus. Not disinfected D:\Documents and Settings\Will\Desktop\Stuff\Programs\BrainsBreaker \Cr-bb31k.exe
Spyware:Cookie/Adscpm Not disinfected D:\Old Computer\Drive D\Documents and Settings\Cathy\Cookies\cathy@adscpm[1].txt
Spyware:Cookie/Atwola Not disinfected D:\Old Computer\Drive D\Documents and Settings\Cathy\Cookies\cathy@atwola[2].txt
Spyware:Cookie/go Not disinfected D:\Old Computer\Drive D\Documents and Settings\Cathy\Cookies\cathy@go[1].txt
Spyware:Cookie/Rn11 Not disinfected D:\Old Computer\Drive D\Documents and Settings\Cathy\Cookies\cathy@rn11[1].txt
Spyware:Cookie/Santa Monica networks inc Not disinfected D:\Old Computer\Drive D\Documents and Settings\Cathy\Cookies\cathy@smni[1].txt
Spyware:Cookie/Target Not disinfected D:\Old Computer\Drive D\Documents and Settings\Cathy\Cookies\cathy@target[1].txt
Spyware:Cookie/Eyeblaster Not disinfected D:\Old Computer\Drive D\Documents and Settings\Cathy\Cookies\cathy@www.eyeblaster-ds[2].txt
Adware:Adware/IPInsight Not disinfected D:\Old Computer\Drive D\Documents and Settings\Cathy\Local Settings\Temp\alchem.inf
Adware:Adware/IPInsight Not disinfected D:\Old Computer\Drive D\Documents and Settings\Cathy\Local Settings\Temp\alchem.ini
Adware:Adware/Twain-Tech Not disinfected D:\Old Computer\Drive D\Documents and Settings\Cathy\Local Settings\Temp\THI6F38.tmp\twaintec.inf
Spyware:Cookie/Gorillanation Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Cookies\will@ads.gorillanation[1].txt
Spyware:Cookie/Atwola Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Cookies\will@atwola[2].txt
Spyware:Cookie/Kazaa Networks Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Cookies\will@desktop.kazaa[2].txt
Spyware:Cookie/Powerscan Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Cookies\will@gammae[2].txt
Spyware:Cookie/go Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Cookies\will@go[2].txt
Spyware:Cookie/LinkExchange Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Cookies\will@linkexchange[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Cookies\will@offeroptimizer[1].txt
Spyware:Cookie/Rn11 Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Cookies\will@rn11[2].txt
Spyware:Cookie/Affiliate fuel Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Cookies\will@www.affiliatefuel[1].txt
Spyware:Cookie/GangbangSquad Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Cookies\will@www.gangbangsquad[1].txt
Adware:Adware/IST.ISTBar Not disinfected D:\Old Computer\Drive D\Documents and Settings\Will\Local Settings\Temporary Internet Files\Content.IE5\NQGN7DWT\d[1].htm
Possible Virus. Not disinfected D:\Old Computer\Drive D\Games\BrainsBreaker\Cr-bb31k.exe
Adware:Adware/IPInsight Not disinfected D:\Old Computer\Drive D\WINDOWS\alchem.ini
Adware:Adware/IPInsight Not disinfected D:\Old Computer\Drive D\WINDOWS\inf\alchem.inf
Adware:Adware/Twain-Tech Not disinfected D:\Old Computer\Drive D\WINDOWS\inf\twaintec.inf


And finally HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 8:20:19 AM, on 3/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Utility\CounterSpy\Consumer\sunThreatEngine.exe
C:\Utility\CounterSpy\Consumer\SunProtectionServer .exe
C:\Drivers\Logitech\iTouch\iTouch\iTouch.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Utility\DAEMON Tools\daemon.exe
C:\Drivers\Logitech\MouseWare\MouseWare\system\em_ exec.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\Utility\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Internet\Netscape\netscape.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Utility\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Word Processing\Acrobat Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utility\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Drivers\Logitech\iTouch\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Utility\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [avast!] C:\Utility\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunServer] C:\Utility\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open PDF in Word - res://C:\Utility\OmniPage Pro\PdfCnv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_02\bin\npjpi142_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Internet\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Internet\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1117165599252
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemp...ogin-devel.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...24/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C253BA57-2434-4ACD-8B87-F3443DC4CF5B}: NameServer = 207.69.188.185,207.69.188.186
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


By the way, CounterSpy ran itself again while Pandasoft was running and it came up clean.

So, I have this Bagle virus... How do I get rid of it when it is disabling all of my antivirus software?

Hi,


Download KillBox from here:---Please download TheKillbox by Option^Explicit.
from here:
http://downloads.subratam.org/KillBox.zip
or here:
http://download.broadbandmedic.com/
or here:
http://www.bleepingcomputer.com/file...re/KillBox.zip
Unzip it to the desktop but do NOT run it yet.

1) Open up kill box now.

2) Select "Delete on Reboot".

3) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\wintems.exe
D:\Documents and Settings\Cathy\Application Data\hidires\hidr.exe
D:\Documents and Settings\Cathy\Application Data\hidires\m_hook.sys
D:\Old Computer\Drive D\Documents and Settings\Cathy\Local Settings\Temp\alchem.inf
D:\Old Computer\Drive D\Documents and Settings\Cathy\Local Settings\Temp\THI6F38.tmp\twaintec.inf
D:\Old Computer\Drive D\Documents and Settings\Will\Local Settings\Temporary Internet Files\Content.IE5\NQGN7DWT\d[1].htm
D:\Old Computer\Drive D\Games\BrainsBreaker\Cr-bb31k.exe
D:\Old Computer\Drive D\WINDOWS\alchem.ini
D:\Old Computer\Drive D\WINDOWS\inf\alchem.inf
D:\Old Computer\Drive D\WINDOWS\inf\twaintec.inf


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.


Rescan with panda and post the log and a new hijackthis log please.