Options

Very bad virus

Unknown
edited April 2006 in Spyware & Virus Removal
heres my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 3:19:29 PM, on 10/22/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\3ABC.tmp
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\TEMP\12E0.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\TEMP\EBD4.tmp
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 84.252.148.80 www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 www.halifax.co.uk
O1 - Hosts: 84.252.148.80 www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
O1 - Hosts: 84.252.148.80 aol.com
O1 - Hosts: 84.252.148.80 www.aol.com
O1 - Hosts: 84.252.148.80 comerica.com
O1 - Hosts: 84.252.148.80 www.comerica.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ib.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib8.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {ABE45433-E5DB-B22A-FE1A-CB5E151B62C5} - C:\WINDOWS\System32\zknp.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVSS.dll
O2 - BHO: (no name) - {F1727CF9-C443-CEE4-3440-BB29D2F73CC1} - C:\WINDOWS\System32\goyp.dll
O2 - BHO: (no name) - {F1737FF5-9312-C8B0-6340-BB29D7FB36C4} - C:\WINDOWS\System32\cjh.dll
O2 - BHO: (no name) - {F80649FB-A643-A8BE-6773-DD3FF60939C5} - C:\WINDOWS\System32\qzhhb.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [HotKeysCmd] C:\WINDOWS\System32\system.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [LanzarP2006] "C:\DOCUME~1\mine\LOCALS~1\Temp\{C55CBAC3-428F-430E-8578-F0DCB28B5133}\{EEBA9416-3207-47E0-9022-116440599DBC}\..\..\P2006tmp\Install.exe" /SETUP:"/l0x0009"
O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\System32\dcdfknfb.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Something called bravesentry installed itself to my computer while trying to find an adaware scanner. It won't even let me into my accounts on my normal computer. Im in safe mode right now. It scans for a long time when I do log in, then starts going weird and freezes up. thanks

Comments

  • skywalker45skywalker45 Bloomington, IN. USA
    edited March 2006
    Yes, you've got it real bad. But before we begin you are currently running Hijack This from here:

    C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

    This is a temporary directory. Please make a folder here:

    C:\HJT

    Move the Hijack This program here or alternatively drag the file HijackThis.exe to your desktop. We need to get it out of the temp directory. Post another log after you've done this.
  • bowhuntakilla
    edited March 2006
    Heres the new one.

    Logfile of HijackThis v1.99.1
    Scan saved at 6:58:32 PM, on 10/22/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\TEMP\3ABC.tmp
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\TEMP\12E0.tmp
    C:\WINDOWS\TEMP\D26C.tmp
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - Default URLSearchHook is missing
    O1 - Hosts: 84.252.148.80 www.bankone.com
    O1 - Hosts: 84.252.148.80 bankone.com
    O1 - Hosts: 84.252.148.80 halifax.com
    O1 - Hosts: 84.252.148.80 www.halifax.com
    O1 - Hosts: 84.252.148.80 halifax.co.uk
    O1 - Hosts: 84.252.148.80 www.halifax.co.uk
    O1 - Hosts: 84.252.148.80 www.bankofamerica.com
    O1 - Hosts: 84.252.148.80 bankofamerica.com
    O1 - Hosts: 84.252.148.80 www.paypal.com
    O1 - Hosts: 84.252.148.80 paypal.com
    O1 - Hosts: 84.252.148.80 www.lloydstsb.com
    O1 - Hosts: 84.252.148.80 lloydstsb.com
    O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
    O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
    O1 - Hosts: 84.252.148.80 www.garanti.com.tr
    O1 - Hosts: 84.252.148.80 garanti.com.tr
    O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
    O1 - Hosts: 84.252.148.80 kocbank.com.tr
    O1 - Hosts: 84.252.148.80 www.disbank.com.tr
    O1 - Hosts: 84.252.148.80 disbank.com.tr
    O1 - Hosts: 84.252.148.80 www.chase.com
    O1 - Hosts: 84.252.148.80 chase.com
    O1 - Hosts: 84.252.148.80 www.southtrust.com
    O1 - Hosts: 84.252.148.80 southtrust.com
    O1 - Hosts: 84.252.148.80 www.wachovia.com
    O1 - Hosts: 84.252.148.80 wachovia.com
    O1 - Hosts: 84.252.148.80 www.wellsfargo.com
    O1 - Hosts: 84.252.148.80 wellsfargo.com
    O1 - Hosts: 84.252.148.80 www.barclays.co.uk
    O1 - Hosts: 84.252.148.80 barclays.co.uk
    O1 - Hosts: 84.252.148.80 www.barclays.com
    O1 - Hosts: 84.252.148.80 barclays.com
    O1 - Hosts: 84.252.148.80 www.barclays.pt
    O1 - Hosts: 84.252.148.80 barclays.pt
    O1 - Hosts: 84.252.148.80 www.barclays.pt
    O1 - Hosts: 84.252.148.80 barclays.pt
    O1 - Hosts: 84.252.148.80 www.citi.com
    O1 - Hosts: 84.252.148.80 citi.com
    O1 - Hosts: 84.252.148.80 www.citibank.com
    O1 - Hosts: 84.252.148.80 citibank.com
    O1 - Hosts: 84.252.148.80 www.etrade.com
    O1 - Hosts: 84.252.148.80 etrade.com
    O1 - Hosts: 84.252.148.80 www.neteller.com
    O1 - Hosts: 84.252.148.80 neteller.com
    O1 - Hosts: 84.252.148.80 tcfbank.com
    O1 - Hosts: 84.252.148.80 www.tcfbank.com
    O1 - Hosts: 84.252.148.80 hsbc.com
    O1 - Hosts: 84.252.148.80 www.hsbc.com
    O1 - Hosts: 84.252.148.80 hsbc.co.uk
    O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
    O1 - Hosts: 84.252.148.80 aol.com
    O1 - Hosts: 84.252.148.80 www.aol.com
    O1 - Hosts: 84.252.148.80 comerica.com
    O1 - Hosts: 84.252.148.80 www.comerica.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ib.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib8.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {ABE45433-E5DB-B22A-FE1A-CB5E151B62C5} - C:\WINDOWS\System32\zknp.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVSS.dll
    O2 - BHO: (no name) - {F1727CF9-C443-CEE4-3440-BB29D2F73CC1} - C:\WINDOWS\System32\goyp.dll
    O2 - BHO: (no name) - {F1737FF5-9312-C8B0-6340-BB29D7FB36C4} - C:\WINDOWS\System32\cjh.dll
    O2 - BHO: (no name) - {F80649FB-A643-A8BE-6773-DD3FF60939C5} - C:\WINDOWS\System32\qzhhb.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
    O4 - HKLM\..\Run: [HotKeysCmd] C:\WINDOWS\System32\system.exe
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
    O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
    O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
    O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
    O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
    O4 - HKLM\..\Run: [LanzarP2006] "C:\DOCUME~1\mine\LOCALS~1\Temp\{C55CBAC3-428F-430E-8578-F0DCB28B5133}\{EEBA9416-3207-47E0-9022-116440599DBC}\..\..\P2006tmp\Install.exe" /SETUP:"/l0x0009"
    O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
    O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
    O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
    O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\System32\dcdfknfb.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited March 2006
    OK now a question before we begin. Are you able to surf to any internet sites, particularly security sites, using the infected PC? Cleaning this PC might take awhile so be prepared and stick with me for the long haul.
  • bowhuntakilla
    edited March 2006
    I can surf the internet, and by secure do you mean sites giving me this

    Security Alert

    Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the site's security certificate.
    Etc..

    That is Yahoo's mail page.
  • skywalker45skywalker45 Bloomington, IN. USA
    edited March 2006
    No I don't mean that. That's OK. Some viruses will prevent you from visiting online virus scanners, etc. So with that said what I would like you to do first is to run 2 online virus scans. From my signature below please run a Panda Active Scan. At the end of the scan the scanner will generate a log. Save that log file. Next visit Kaspersky, also from my signature, and run a scan there. It too will generate a log. Save that log as well. Once you have done this please reboot the PC and post back here with the Panda, Kaspersky, and a fresh Hijack This log.
  • bowhuntakilla
    edited March 2006
    Strange. After I click yes to "I trust panda" and all that, it just freezes. Also, kaspersky AV goes to a "This page cannot be displayed" page.

    I'm guessing its because of me being in safe-mode?
  • skywalker45skywalker45 Bloomington, IN. USA
    edited March 2006
    Can you surf to these sites in normal mode? Are you using safe mode with networking, and do you have a broadband connection? Try these scans in normal mode. If you can't use these sites then the malware could be preventing it. It does this usually by altering the hosts file. If this is the case we'll need to kill a lot of this stuff manually and then do a clean up scan later. Please let me know the answers to the above.
    :)
  • bowhuntakilla
    edited March 2006
    Strange, Panda is working now.

    Also, I am on Safe Mode with networking, and I do have broadband.
  • bowhuntakilla
    edited March 2006
    I can't do everything you said to (Kaspersky scan) but I did what I could.


    Incident Status Location

    Adware:Adware/PurityScan Not disinfected C:\PROGRA~1\SSTEM~1\USERINIT.EXE
    Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\XPUPDATE.EXE
    Virus:W32/Locksky.CE.worm Not disinfected Operating system
    Possible Virus. Not disinfected C:\WINDOWS\SYSTEM32\SYSTEM.EXE
    Adware:Adware/Tibs Not disinfected C:\WINDOWS\SYSTEM32\KERNELS8.EXE
    Adware:adware/purityscan Not disinfected C:\Documents and Settings\daniel\Local Settings\Temp\!update.exe
    Adware:adware/adsmart Not disinfected C:\Documents and Settings\daniel\Local Settings\Temp\qvxt1.game
    Adware:adware/spysheriff Not disinfected C:\WINDOWS\SYSTEM32\kernels8.exe
    Dialer:dialer.xd Not disinfected C:\WINDOWS\SYSTEM32\vbsys2.dll
    Adware:adware/bravesentry Not disinfected C:\WINDOWS\xpupdate.exe
    Potentially unwanted tool:application/bravesentry Not disinfected C:\PROGRAM FILES\BraveSentry
    Adware:adware/secure32 Not disinfected C:\WINDOWS\System32\drivers\etc\hosts
    Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\daniel\Local Settings\Temp\!update.exe
    Virus:Trj/Downloader.IFX Not disinfected C:\Documents and Settings\daniel\Local Settings\Temp\9.tmp
    Virus:Trj/Downloader.IFX Not disinfected C:\Documents and Settings\daniel\Local Settings\Temp\A.tmp
    Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\daniel\Local Settings\Temp\qvxt2.game
    Virus:Trj/Banker.CKO Not disinfected C:\Documents and Settings\daniel\Local Settings\Temp\qvxt3.game
    Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\daniel\Local Settings\Temp\qvxt4.game
    Spyware:Cookie/Buydomains Not disinfected C:\Documents and Settings\mine\Cookies\mine@www47.buydomains[1].txt
    Spyware:Cookie/Seeq Not disinfected C:\Documents and Settings\mine\Cookies\mine@www48.seeq[1].txt
    Virus:Trj/Downloader.IFX Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\18.tmp
    Virus:Trj/Downloader.IFX Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\19.tmp
    Adware:Adware/BraveSentry Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\2.dlb
    Virus:Trj/Downloader.IFX Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\C.tmp
    Virus:Trj/Downloader.IFX Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\D.tmp
    Dialer:Dialer.FGG Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\maxdd.game
    Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\qvxt3.game
    Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\qvxt4.game
    Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\vx2.game
    Adware:Adware/Adsmart Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\vx3.game
    Virus:W32/Locksky.CE.worm Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\vx6.game
    Potentially unwanted tool:Application/BraveSentry Not disinfected C:\Documents and Settings\mine\Local Settings\Temp\vxt2.game
    Potentially unwanted tool:Application/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry.exe
    Potentially unwanted tool:Application/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry0.dll
    Potentially unwanted tool:Application/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry1.dll
    Adware:Adware/SpySheriff Not disinfected C:\Program Files\BraveSentry\BraveSentry2.dll
    Potentially unwanted tool:Application/BraveSentry Not disinfected C:\Program Files\BraveSentry\BraveSentry3.dll
    Adware:Adware/PurityScan Not disinfected C:\Program Files\s?stem\userinit.exe
    Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\NPROTECT\00000001.TXT
    Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\NPROTECT\00000002.TXT
    Adware:Adware/PurityScan Not disinfected C:\RECYCLER\NPROTECT\00001633.000
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00001646.exe
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00001647.exe
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00001650.exe
    Virus:Trj/Unkma.A Not disinfected C:\RECYCLER\NPROTECT\00001746.dll
    Adware:Adware/BraveSentry Not disinfected C:\RECYCLER\NPROTECT\00001752.DLL
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00001756.EXE
    Virus:Trj/Unkma.A Not disinfected C:\RECYCLER\NPROTECT\00001810.dll
    Adware:Adware/BraveSentry Not disinfected C:\RECYCLER\NPROTECT\00001827.DLL
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00001832.EXE
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00001888.exe
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00001889.exe
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00001890.exe
    Adware:Adware/PurityScan Not disinfected C:\RECYCLER\NPROTECT\00001910.exe
    Potentially unwanted tool:Application/BraveSentry Not disinfected C:\RECYCLER\NPROTECT\00001980.EXE
    Potentially unwanted tool:Application/BraveSentry Not disinfected C:\RECYCLER\NPROTECT\00001982.DLL
    Potentially unwanted tool:Application/BraveSentry Not disinfected C:\RECYCLER\NPROTECT\00001984.DLL
    Adware:Adware/SpySheriff Not disinfected C:\RECYCLER\NPROTECT\00001985.DLL
    Potentially unwanted tool:Application/BraveSentry Not disinfected C:\RECYCLER\NPROTECT\00001986.DLL
    Adware:Adware/BraveSentry Not disinfected C:\RECYCLER\NPROTECT\00002162.DLL
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002166.EXE
    Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\NPROTECT\00002197.TXT
    Spyware:Cookie/Overture Not disinfected C:\RECYCLER\NPROTECT\00002198.TXT
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002235.exe
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002238.exe
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002239.exe
    Adware:Adware/PurityScan Not disinfected C:\RECYCLER\NPROTECT\00002251.exe
    Adware:Adware/PurityScan Not disinfected C:\RECYCLER\NPROTECT\00002264.exe
    Adware:Adware/PurityScan Not disinfected C:\RECYCLER\NPROTECT\00002265.000
    Spyware:Cookie/Enhance Not disinfected C:\RECYCLER\NPROTECT\00002341.TXT
    Spyware:Cookie/Statcounter Not disinfected C:\RECYCLER\NPROTECT\00002346.TXT
    Adware:Adware/BraveSentry Not disinfected C:\RECYCLER\NPROTECT\00002406.DLL
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002408.EXE
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002423.exe
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002426.exe
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002427.exe
    Adware:Adware/PurityScan Not disinfected C:\RECYCLER\NPROTECT\00002449.exe
    Virus:Trj/Unkma.A Not disinfected C:\RECYCLER\NPROTECT\00002563.dll
    Adware:Adware/BraveSentry Not disinfected C:\RECYCLER\NPROTECT\00002570.DLL
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002573.EXE
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002603.exe
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002608.exe
    Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00002613.exe
    Adware:Adware/PurityScan Not disinfected C:\RECYCLER\NPROTECT\00002666.exe
    Virus:Trj/Unkma.A Not disinfected C:\RECYCLER\NPROTECT\00002682.dll
    Virus:Trj/Unkma.A Not disinfected C:\RECYCLER\NPROTECT\00002707.dll
    Virus:Trj/Unkma.A Not disinfected C:\RECYCLER\NPROTECT\00002807.dll
    Spyware:Cookie/myaffiliateprogram Not disinfected C:\RECYCLER\NPROTECT\00002909.TXT
    Adware:Adware/Tibs Not disinfected C:\t.inx
    Adware:Adware/PurityScan Not disinfected C:\vbsys2.dll
    Virus:Trj/Unkma.A Not disinfected C:\WINDOWS\comdlj32.dll
    Possible Virus. Not disinfected C:\WINDOWS\system32\bak.tmp
    Virus:W32/Locksky.CE.worm Not disinfected C:\WINDOWS\system32\comdlg64.dll
    Virus:Bck/Small.SH Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OVFPTUTI\tt[1].exe
    Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\system32\dlh9jkdq2.exe
    Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\system32\IeHelperExVSS.dll
    Adware:Adware/Tibs Not disinfected C:\WINDOWS\system32\kernels8.exe
    Virus:Trj/Jupillites.D Not disinfected C:\WINDOWS\system32\mspostsp.exe
    Virus:Trj/Raser.C Not disinfected C:\WINDOWS\system32\msupdate32.dll
    Virus:Trj/Downloader.IFX Not disinfected C:\WINDOWS\system32\senssrv.dll
    Virus:Trj/ProxyAgent.A Not disinfected C:\WINDOWS\system32\spoolsvv.exe
    Possible Virus. Not disinfected C:\WINDOWS\system32\system.exe
    Virus:W32/Locksky.CE.worm Not disinfected C:\WINDOWS\system32\sysvx.exe
    Virus:Trj/Lager.AI Not disinfected C:\WINDOWS\system32\taskdir.dll
    Adware:Adware/PurityScan Not disinfected C:\WINDOWS\system32\vbsys2.dll
    Potentially unwanted tool:Application/BraveSentry Not disinfected C:\WINDOWS\system32\vxgamet2.exe
    Virus:W32/Locksky.CE.worm Not disinfected C:\WINDOWS\sysvx_.exe
    Virus:Bck/Small.SH Not disinfected C:\WINDOWS\Temp\9171.tmp
    Adware:Adware/BraveSentry Not disinfected C:\WINDOWS\xpupdate.exe
    Adware:Adware/PurityScan Not disinfected C:\WINDOWS\??mantec\wucrtupd.exe
    There's the panda scan.

    Here's hijackthis

    Logfile of HijackThis v1.99.1
    Scan saved at 7:20:58 PM, on 10/24/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\TEMP\8319.tmp
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phillipswest.org
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    O1 - Hosts: 84.252.148.80 www.bankone.com
    O1 - Hosts: 84.252.148.80 bankone.com
    O1 - Hosts: 84.252.148.80 halifax.com
    O1 - Hosts: 84.252.148.80 www.halifax.com
    O1 - Hosts: 84.252.148.80 halifax.co.uk
    O1 - Hosts: 84.252.148.80 www.halifax.co.uk
    O1 - Hosts: 84.252.148.80 www.bankofamerica.com
    O1 - Hosts: 84.252.148.80 bankofamerica.com
    O1 - Hosts: 84.252.148.80 www.paypal.com
    O1 - Hosts: 84.252.148.80 paypal.com
    O1 - Hosts: 84.252.148.80 www.lloydstsb.com
    O1 - Hosts: 84.252.148.80 lloydstsb.com
    O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
    O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
    O1 - Hosts: 84.252.148.80 www.garanti.com.tr
    O1 - Hosts: 84.252.148.80 garanti.com.tr
    O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
    O1 - Hosts: 84.252.148.80 kocbank.com.tr
    O1 - Hosts: 84.252.148.80 www.disbank.com.tr
    O1 - Hosts: 84.252.148.80 disbank.com.tr
    O1 - Hosts: 84.252.148.80 www.chase.com
    O1 - Hosts: 84.252.148.80 chase.com
    O1 - Hosts: 84.252.148.80 www.southtrust.com
    O1 - Hosts: 84.252.148.80 southtrust.com
    O1 - Hosts: 84.252.148.80 www.wachovia.com
    O1 - Hosts: 84.252.148.80 wachovia.com
    O1 - Hosts: 84.252.148.80 www.wellsfargo.com
    O1 - Hosts: 84.252.148.80 wellsfargo.com
    O1 - Hosts: 84.252.148.80 www.barclays.co.uk
    O1 - Hosts: 84.252.148.80 barclays.co.uk
    O1 - Hosts: 84.252.148.80 www.barclays.com
    O1 - Hosts: 84.252.148.80 barclays.com
    O1 - Hosts: 84.252.148.80 www.barclays.pt
    O1 - Hosts: 84.252.148.80 barclays.pt
    O1 - Hosts: 84.252.148.80 www.barclays.pt
    O1 - Hosts: 84.252.148.80 barclays.pt
    O1 - Hosts: 84.252.148.80 online.cassarimini.it
    O1 - Hosts: 84.252.148.80 www.citi.com
    O1 - Hosts: 84.252.148.80 citi.com
    O1 - Hosts: 84.252.148.80 www.citibank.com
    O1 - Hosts: 84.252.148.80 citibank.com
    O1 - Hosts: 84.252.148.80 www.etrade.com
    O1 - Hosts: 84.252.148.80 etrade.com
    O1 - Hosts: 84.252.148.80 www.neteller.com
    O1 - Hosts: 84.252.148.80 neteller.com
    O1 - Hosts: 84.252.148.80 tcfbank.com
    O1 - Hosts: 84.252.148.80 www.tcfbank.com
    O1 - Hosts: 84.252.148.80 hsbc.com
    O1 - Hosts: 84.252.148.80 www.hsbc.com
    O1 - Hosts: 84.252.148.80 hsbc.co.uk
    O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: ib.CBrowserHelper - {1E6CE4CD-161B-4847-B8BF-E2EF72299D69} - C:\WINDOWS\System32\ib8.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: (no name) - {AB0419F8-F610-AEEC-3673-DD3FF60960CF} - C:\WINDOWS\System32\xpoiq.dll
    O2 - BHO: (no name) - {ABE45433-E5DB-B22A-FE1A-CB5E151B62C5} - C:\WINDOWS\System32\zknp.dll (file missing)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperExVSS.dll
    O2 - BHO: (no name) - {F1727CF9-C443-CEE4-3440-BB29D2F73CC1} - C:\WINDOWS\System32\goyp.dll
    O2 - BHO: (no name) - {F80649FB-A643-A8BE-6773-DD3FF60939C5} - C:\WINDOWS\System32\qzhhb.dll
    O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
    O4 - HKLM\..\Run: [HotKeysCmd] C:\WINDOWS\System32\system.exe
    O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
    O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
    O4 - HKLM\..\Run: [sysvx] C:\WINDOWS\sysvx_.exe
    O4 - HKLM\..\Run: [WindowsUpdate] C:\WINDOWS\System\svchost.exe /s
    O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
    O4 - HKLM\..\Run: [LanzarP2006] "C:\DOCUME~1\mine\LOCALS~1\Temp\{C55CBAC3-428F-430E-8578-F0DCB28B5133}\{EEBA9416-3207-47E0-9022-116440599DBC}\..\..\P2006tmp\Install.exe" /SETUP:"/l0x0009"
    O4 - HKLM\..\Run: [Microsoft Windows Logon Process] C:\WINDOWS\winlogon.exe
    O4 - HKLM\..\Run: [Microsoft Windows Session Manager Subsystem] C:\WINDOWS\smss.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
    O4 - HKCU\..\Run: [Aida] "C:\PROGRA~1\SSTEM~1\userinit.exe" -vt yazr
    O4 - HKCU\..\Run: [Afuvost] C:\WINDOWS\system32\F?nts\r?gsvr32.exe
    O4 - HKCU\..\Run: [BraveSentry] C:\Program Files\BraveSentry\BraveSentry.exe
    O4 - HKCU\..\Run: [Key] C:\DOCUME~1\daniel\LOCALS~1\Temp\16.tmp
    O4 - HKCU\..\Run: [WinMedia] "C:\DOCUME~1\daniel\LOCALS~1\Temp\B.tmp3584.exe"
    O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\System32\taskdir.exe
    O4 - HKCU\..\Run: [Ai] "C:\PROGRA~1\SSTEM~1\userinit.exe" -vt yazr
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
    O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - (no file)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • skywalker45skywalker45 Bloomington, IN. USA
    edited April 2006
    OK. Still got many things that need to go. We'll take a multi-focal approach here first just to see if this will work. Please download Ewido Anti-Malware from my signature below and follow the instructions listed here:

    • Install Ewido Anti-Malware
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
    • Launch ewido, there should be a big "E" icon on your desktop, double-click it.
    • The program will prompt you to update click the "OK" button
    • The program will now go to the main screen

      You will need to update ewido to the latest definition files.

    • On the left hand side of the main screen click update
    • Click on Start

      The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.

      Once the updates are installed do the following:


    • If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.
    • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Then, run ewido.
    • Close all open windows/programs/folders. Have nothing else open while ewido performs its scan!
    • Click on scanner
    • Click on Settings
      • Under "How to scan" all boxes should be selected
      • Under "Possibly unwanted software" all boxes should be selected
      • Under "What to scan" select scan every file
      • Click OK
    • Click on Complete system scan
    • Let the program scan the machine
    • If ewido finds anything, it will pop up a notification. Please check the box that says Perform Action with all Infections.
    • Click Save report
    • Save the report to your desktop
    • Exit ewido

    Post back with the Ewido Log and a fresh Hijack This log.
Sign In or Register to comment.