Options
Virus Alert! annoying icon still present!
Hi all,
I hope that i'll get rid off annoying Virus Alert icons and Spyware Quake that i was infected through firefox somewhere on net.
I did followed maunal instruction and automatically instruction and then did scan my pc with different spyware program as ad-aware, spybot, ewido, Spy Sweeper, Spyware Doctor) and computer comes back up as clean and it seems to be indeed clean except annoying icon Virus Alert that is all time visible with annoying message that appear periodically "Your Computer is infected - Critical system error! System detected virus activites. They may....".
It seems that not any of method and not any of program could get rif off this icon. (Panda online scan take a long time and does not show nothing unusual comparing with other logs).
Maybe they have in mean times update some of their annoying tricks to be harder to get rid off.I was infected yesterday.
So here is hijackthis log and it looks ok:
Logfile of HijackThis v1.99.1
Scan saved at 10:48:55 AM, on 4/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Babylon\Babylon.exe
I:\WINDOWS\VM_STI.EXE
I:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
I:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
I:\Program Files\ewido update\ewido update.exe
I:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
I:\WINDOWS\system32\rundll32.exe
I:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
I:\Program Files\F-Secure\Anti-Virus\fssm32.exe
I:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\WINDOWS\system32\nvsvc32.exe
I:\Program Files\Spyware Doctor\sdhelp.exe
I:\Program Files\Sygate\SPF\smc.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
I:\Program Files\F-Secure\Common\FSMA32.EXE
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\F-Secure\Common\FSLAUNCH.EXE
I:\Program Files\F-Secure\Common\FSLAUNCH.EXE
C:\Program Files\ewido anti-malware\securitysuite.exe
I:\spyware quake\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - I:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - I:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [F-Secure Manager] "I:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [SmcService] I:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Babylon Client] I:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [BigDogPath] I:\WINDOWS\VM_STI.EXE CANYON CN-WCAM23 PC-Camera
O4 - HKLM\..\Run: [VirtualCloneDrive] "I:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [GhostStartTrayApp] I:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ewido update] I:\Program Files\ewido update\ewido update.exe
O4 - HKCU\..\Run: [Startup Manager] I:\Documents and Settings\PB\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All by FlashGet - I:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - I:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Filtering options - res://I:\Program Files\AdPurger\2.51\AdPurger.dll /242
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - I:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: On/Off - {521C05E8-D5C3-42c2-B4CB-11B959140aaa} - I:\Program Files\AdPurger\2.51\AdPurger.dll
O9 - Extra button: (no name) - {521C05E8-D5C3-42c2-B4CB-72B959140E95} - I:\Program Files\AdPurger\2.51\AdPurger.dll
O9 - Extra 'Tools' menuitem: AdPurger... - {521C05E8-D5C3-42c2-B4CB-72B959140E95} - I:\Program Files\AdPurger\2.51\AdPurger.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ProxyPal - {B0127AF2-316C-4f1d-BF35-3DE43971EEC5} - I:\WINDOWS\system32\proxypal.exe
O9 - Extra 'Tools' menuitem: ProxyPal - {B0127AF2-316C-4f1d-BF35-3DE43971EEC5} - I:\WINDOWS\system32\proxypal.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - I:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - I:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - I:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142636612468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://cache.hyves.nl/statics/Aurigma/ImageUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "I:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - I:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - I:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - I:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - I:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - I:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: GhostStartService - Symantec Corporation - I:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - I:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - I:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - I:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Here is Evido log:
ewido anti-malware - Scan report
+ Created on: 10:50:08 AM, 4/15/2006
+ Report-Checksum: 270EB1F1
+ Scan result:
No infected objects found.
::Report End
Here is Spy Sweeper log:
Spy Sweeper will provide you with detailed information about the operations being performed in this area.
Updating spyware definitions from Webroot.com
Please wait... This may take a few minutes...
Your definitions are up to date.
To ensure proper removal of spyware, adware and other unwanted items, be sure to close any programs that are open.
Your Sweep Options indicate the following will be swept:
Drives: I:
Also sweeping: Memory, Cookies, Registry
Full Sweep has completed. Elapsed time 00:11:57
Traces Found: 0
And F-secure log:
Scanning Report
15 April 2006 12:00:53
Options
Target:
I:\
Action:
Ask after scan
Scanning options:
Files scanned with extensions: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML AVB BAT CEO CMD LSP MAP MHT MIF PHP POT WMF NWS TAR TGZ ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2
Scan inside archives: on
Scanning Engines:
F-Secure AVP: 6.00.169, 2006-04-14
F-Secure Libra: 2.03.11, 2006-04-13
F-Secure Orion: 1.02.27, 2006-04-11
Results
Boot Sectors
Scanned: 1
Infected: 0
Suspected: 0
Disinfected: 0
Files
Scanned: 27078
Infected: 0
Suspected: 0
Disinfected: 0
Renamed: 0
Deleted: 0
Quarantined: 0
Report
Cannot open file I:\pagefile.sys
Cannot open file I:\WINDOWS\system32\config\default
Cannot open file I:\System Volume Information\MountPointManagerRemoteDatabase
Scanning of I:\FIlmovi\An.Unfinished.Life.2005.skvcd.nl.subs.Share4you.exorcist.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\Complete.Guide.To.Guys.2006.SKVCD.Team.Share4you.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\Derailed.2005.SKVCD.NL.Chubmaster.SVCDPlaza.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\Freeze.Frame.2004.skvcd.nl.subs.Share4you.exorcist.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\In.the.Mix.(2005).Skvcd.Team.Share4you.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\The.Family.Stone.2005.SKVCD.NL.Chubmaster.SVCDPlaza.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\Thief.Lord.2006.Skvcd.Team.Share4you.rar was aborted [F-Secure AVP]
Cannot read from file I:\Documents and Settings\PB\Local Settings\Temporary Internet Files\Content.IE5\S5QJK9MR\cr-dcp30-2006-04-10[1].rar\DCPP_320_setup.exe [F-Secure Libra]
Cannot open file in archive I:\Documents and Settings\PB\Desktop\AddWeb.Web.Page.Promoter.Pro.v7.2.8.5._www.r3mteam.org_.rar\ww-a728a.zip\wdyl.nfo
Cannot open file in archive I:\Documents and Settings\PB\Desktop\ww-a7285.rar
Cannot open file in archive I:\Documents and Settings\PB\Desktop\ww-a728a.zip\wdyl.nfo
Cannot open file in archive I:\Documents and Settings\PB\Desktop\systran\eatsysp4.rar
Cannot open file in archive I:\Documents and Settings\PB\Desktop\EKV\EKV Live '89.part1.rar
Cannot open file in archive I:\Documents and Settings\PB\Desktop\EKV\EKV Live '89.part2.rar
File I:\Documents and Settings\PB\Desktop\AIO IP Changer\AIO IP Changer Tools.exe\AutoPlay\autorun.cdd\_detect.dat is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip\NDNuninstall6_38.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpywareQuake.zip\dfrgsrv.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpywareQuake1.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpywareQuake2.zip\dfrgsrv.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpywareQuake3.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore1.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore2.zip\How To Uninstall.lnk is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore3.zip\INSTALL.LOG is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore4.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore5.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore6.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore7.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore8.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore9.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec.zip\ts.ico is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec1.zip\ncompat.tlb is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec2.zip\mssearchnet.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec3.zip\ncompat.tlb is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec4.zip\mssearchnet.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsActiveDesktop.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader.zip\nvctrl.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader1.zip\nvctrl.exe is encrypted
So how is possible that all spyware tools show PC as clean and this annoying icon come back again and again and i couldnt get rid off it :shakehead .Any idea??Any solution?I tried almost everything.
Is it possible that somewhere are still remains of eMediaCodec or VCodec?
But it seems impossible too because of F-secure and all logs that are back as clean.
Thanks
I hope that i'll get rid off annoying Virus Alert icons and Spyware Quake that i was infected through firefox somewhere on net.
I did followed maunal instruction and automatically instruction and then did scan my pc with different spyware program as ad-aware, spybot, ewido, Spy Sweeper, Spyware Doctor) and computer comes back up as clean and it seems to be indeed clean except annoying icon Virus Alert that is all time visible with annoying message that appear periodically "Your Computer is infected - Critical system error! System detected virus activites. They may....".
It seems that not any of method and not any of program could get rif off this icon. (Panda online scan take a long time and does not show nothing unusual comparing with other logs).
Maybe they have in mean times update some of their annoying tricks to be harder to get rid off.I was infected yesterday.
So here is hijackthis log and it looks ok:
Logfile of HijackThis v1.99.1
Scan saved at 10:48:55 AM, on 4/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\Program Files\Babylon\Babylon.exe
I:\WINDOWS\VM_STI.EXE
I:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
I:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
I:\Program Files\ewido update\ewido update.exe
I:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
I:\WINDOWS\system32\rundll32.exe
I:\Program Files\F-Secure\Anti-Virus\FSGK32.EXE
I:\Program Files\F-Secure\Anti-Virus\fssm32.exe
I:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
I:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
I:\WINDOWS\system32\nvsvc32.exe
I:\Program Files\Spyware Doctor\sdhelp.exe
I:\Program Files\Sygate\SPF\smc.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
I:\Program Files\F-Secure\Common\FSMA32.EXE
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\F-Secure\Common\FSLAUNCH.EXE
I:\Program Files\F-Secure\Common\FSLAUNCH.EXE
C:\Program Files\ewido anti-malware\securitysuite.exe
I:\spyware quake\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - I:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - I:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [F-Secure Manager] "I:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [SmcService] I:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Babylon Client] I:\Program Files\Babylon\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [BigDogPath] I:\WINDOWS\VM_STI.EXE CANYON CN-WCAM23 PC-Camera
O4 - HKLM\..\Run: [VirtualCloneDrive] "I:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [GhostStartTrayApp] I:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE I:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE I:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ewido update] I:\Program Files\ewido update\ewido update.exe
O4 - HKCU\..\Run: [Startup Manager] I:\Documents and Settings\PB\Application Data\Systweak\ASO 2\smstartUp manager.exe
O4 - Startup: Adobe Gamma.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All by FlashGet - I:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - I:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://I:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Filtering options - res://I:\Program Files\AdPurger\2.51\AdPurger.dll /242
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - I:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: On/Off - {521C05E8-D5C3-42c2-B4CB-11B959140aaa} - I:\Program Files\AdPurger\2.51\AdPurger.dll
O9 - Extra button: (no name) - {521C05E8-D5C3-42c2-B4CB-72B959140E95} - I:\Program Files\AdPurger\2.51\AdPurger.dll
O9 - Extra 'Tools' menuitem: AdPurger... - {521C05E8-D5C3-42c2-B4CB-72B959140E95} - I:\Program Files\AdPurger\2.51\AdPurger.dll
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - I:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ProxyPal - {B0127AF2-316C-4f1d-BF35-3DE43971EEC5} - I:\WINDOWS\system32\proxypal.exe
O9 - Extra 'Tools' menuitem: ProxyPal - {B0127AF2-316C-4f1d-BF35-3DE43971EEC5} - I:\WINDOWS\system32\proxypal.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - I:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - I:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: SmartWhois - {FD9DE2B4-C926-4460-81C4-FC58C6F1062E} - I:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra button: (no name) - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - I:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O9 - Extra 'Tools' menuitem: SmartWhois - {FF983118-58C7-4AD4-B5A7-691C39CB7B42} - I:\PROGRA~1\SMARTW~1\swmsiehlp.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142636612468
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://cache.hyves.nl/statics/Aurigma/ImageUploader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "I:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - I:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - I:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Secure Gatekeeper Handler Starter - F-Secure Corp. - I:\Program Files\F-Secure\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - I:\Program Files\F-Secure\Common\FNRB32.EXE
O23 - Service: F-Secure Authentication Agent (FSAA) - F-Secure Corporation. All Rights Reserved. - I:\Program Files\F-Secure\Common\FSAA.EXE
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - I:\Program Files\F-Secure\Common\FSMA32.EXE
O23 - Service: GhostStartService - Symantec Corporation - I:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - I:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - I:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - I:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - I:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
Here is Evido log:
ewido anti-malware - Scan report
+ Created on: 10:50:08 AM, 4/15/2006
+ Report-Checksum: 270EB1F1
+ Scan result:
No infected objects found.
::Report End
Here is Spy Sweeper log:
Spy Sweeper will provide you with detailed information about the operations being performed in this area.
Updating spyware definitions from Webroot.com
Please wait... This may take a few minutes...
Your definitions are up to date.
To ensure proper removal of spyware, adware and other unwanted items, be sure to close any programs that are open.
Your Sweep Options indicate the following will be swept:
Drives: I:
Also sweeping: Memory, Cookies, Registry
Full Sweep has completed. Elapsed time 00:11:57
Traces Found: 0
And F-secure log:
Scanning Report
15 April 2006 12:00:53
Options
Target:
I:\
Action:
Ask after scan
Scanning options:
Files scanned with extensions: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML AVB BAT CEO CMD LSP MAP MHT MIF PHP POT WMF NWS TAR TGZ ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2
Scan inside archives: on
Scanning Engines:
F-Secure AVP: 6.00.169, 2006-04-14
F-Secure Libra: 2.03.11, 2006-04-13
F-Secure Orion: 1.02.27, 2006-04-11
Results
Boot Sectors
Scanned: 1
Infected: 0
Suspected: 0
Disinfected: 0
Files
Scanned: 27078
Infected: 0
Suspected: 0
Disinfected: 0
Renamed: 0
Deleted: 0
Quarantined: 0
Report
Cannot open file I:\pagefile.sys
Cannot open file I:\WINDOWS\system32\config\default
Cannot open file I:\System Volume Information\MountPointManagerRemoteDatabase
Scanning of I:\FIlmovi\An.Unfinished.Life.2005.skvcd.nl.subs.Share4you.exorcist.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\Complete.Guide.To.Guys.2006.SKVCD.Team.Share4you.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\Derailed.2005.SKVCD.NL.Chubmaster.SVCDPlaza.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\Freeze.Frame.2004.skvcd.nl.subs.Share4you.exorcist.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\In.the.Mix.(2005).Skvcd.Team.Share4you.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\The.Family.Stone.2005.SKVCD.NL.Chubmaster.SVCDPlaza.rar was aborted [F-Secure AVP]
Scanning of I:\FIlmovi\Thief.Lord.2006.Skvcd.Team.Share4you.rar was aborted [F-Secure AVP]
Cannot read from file I:\Documents and Settings\PB\Local Settings\Temporary Internet Files\Content.IE5\S5QJK9MR\cr-dcp30-2006-04-10[1].rar\DCPP_320_setup.exe [F-Secure Libra]
Cannot open file in archive I:\Documents and Settings\PB\Desktop\AddWeb.Web.Page.Promoter.Pro.v7.2.8.5._www.r3mteam.org_.rar\ww-a728a.zip\wdyl.nfo
Cannot open file in archive I:\Documents and Settings\PB\Desktop\ww-a7285.rar
Cannot open file in archive I:\Documents and Settings\PB\Desktop\ww-a728a.zip\wdyl.nfo
Cannot open file in archive I:\Documents and Settings\PB\Desktop\systran\eatsysp4.rar
Cannot open file in archive I:\Documents and Settings\PB\Desktop\EKV\EKV Live '89.part1.rar
Cannot open file in archive I:\Documents and Settings\PB\Desktop\EKV\EKV Live '89.part2.rar
File I:\Documents and Settings\PB\Desktop\AIO IP Changer\AIO IP Changer Tools.exe\AutoPlay\autorun.cdd\_detect.dat is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NewDotNet.zip\NDNuninstall6_38.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpywareQuake.zip\dfrgsrv.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpywareQuake1.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpywareQuake2.zip\dfrgsrv.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpywareQuake3.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore1.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore2.zip\How To Uninstall.lnk is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore3.zip\INSTALL.LOG is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore4.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore5.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore6.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore7.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore8.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\UCmore9.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec.zip\ts.ico is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec1.zip\ncompat.tlb is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec2.zip\mssearchnet.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec3.zip\ncompat.tlb is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec4.zip\mssearchnet.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WindowsActiveDesktop.zip\sbRecovery.reg is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader.zip\nvctrl.exe is encrypted
File I:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader1.zip\nvctrl.exe is encrypted
So how is possible that all spyware tools show PC as clean and this annoying icon come back again and again and i couldnt get rid off it :shakehead .Any idea??Any solution?I tried almost everything.
Is it possible that somewhere are still remains of eMediaCodec or VCodec?
But it seems impossible too because of F-secure and all logs that are back as clean.
Thanks
0
Comments
It was new variant that leave behind suprox.dll file inside System32 directory.
Not any tool was able to detect it.
Here is solution for this new variant:
http://www.dslreports.com/forum/remark,15901321