# need to fix [email protected] fast!



## Shahem (Sep 11, 2006)

Hi, I have acquired the [email protected] virus this afternoon and I'm looking for the easiest way of getting rid of it.

I've seen other posts on this problem and they take a lot of steps. Is there an easier way of dealing with this virus?... If not, I'd like to ask you please to guide me through the steps for cleaning my PC.

Thank you very much in advance!

P.D.: Is the AVG free antivirus OK to do it? I have Norton Systemworks and it doesn't seem to catch this trojan...


----------



## uhaligani (Apr 6, 2006)

All the Anti-virus programs use the same virus definitions. I have no idea why Norton would not find the trojan, AVG certainly would, I am sure. - for free!


----------



## dvk01 (Dec 14, 2002)

Uhaligani

that is the most incorrect thing I have seen posted for a long time

That is why we have introduced a new rule prohibiting non authorized members from helping or replying in security related matters

http://forums.techguy.org/security/496737-new-rules-regarding-malware-removal.html

Shahem

go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. * DO NOT just press run from the website* Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop. 
Click on the entry in start menu or on the desktop to run HijackThis
Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log. 
Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required, 
so *do NOT fix anything yet.*
Someone here will be happy to help you analyze the results.


----------



## Shahem (Sep 11, 2006)

Thanx Derek...

I've done the hijackthis scan and this is the info that appeared on the log file.

Logfile of HijackThis v1.99.1
Scan saved at 7:48:58, on 11/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ishost.exe
C:\WINDOWS\System32\issearch.exe
C:\WINDOWS\System32\isnotify.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\ismini.exe
C:\Archivos de programa\ahead\InCD\InCD.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\D-Link\AirPlus G\AirGCFG.exe
C:\Archivos de programa\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Archivos de programa\SpyQuake2.com\Spy-Quake2.exe
C:\Archivos de programa\SpyQuake2.com\Spy-Quake2.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Archivos de programa\Archivos comunes\{80523695-096B-3082-0716-030124200022}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\WINDOWS\System32\components\flx1.dll
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uc.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Archivos de programa\ToolBar888\MyToolBar.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Archivos de programa\ToolBar888\MyToolBar.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - C:\Archivos de programa\Safety Bar\SafetyBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Archivos de programa\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Archivos de programa\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [SpyQuake2.com] C:\Archivos de programa\SpyQuake2.com\Spy-Quake2.exe /h
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135045346137
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135046719230
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winabt32 - C:\WINDOWS\SYSTEM32\winabt32.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - C:\WINDOWS\System32\urroxtl.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Archivos de programa\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe

I'll wait for help about what to do next

Thanks again....


----------



## dvk01 (Dec 14, 2002)

Please download *SmitfraudFix* (by *S!Ri*)
Extract the content (a folder named *SmitfraudFix*) to your Desktop.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
Once in Safe Mode, open the *SmitfraudFix* folder and double-click *smitfraudfix.cmd*
Select option #2 - *Clean* by typing *2* and press "*Enter*" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing *Y* and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if *wininet.dll* is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing *Y* and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at *C:\rapport.txt* along with a fresh HJT log

Warning : running option #2 on a non infected computer will remove your Desktop background.

the Engish Tutorial


----------



## Shahem (Sep 11, 2006)

hi Derek... the HJT report shouldn't change in the process of running the smitfraudfix?


----------



## Shahem (Sep 11, 2006)

Another thing... to restart in normal mode I need to de the same thing as to start in safe mode (tapping the F8 key continually)?.... 
If Smitfraudfix restarts the PC itself I have to tap the F8 key and select normal mode, or it will do it alone?


----------



## dvk01 (Dec 14, 2002)

it will restart in normal mode or should do 

and yes the HJT log should change after running smitfraudfix


----------



## Shahem (Sep 11, 2006)

ok... I'll do the smitfraudfix step now and send you the report immediately


----------



## Shahem (Sep 11, 2006)

Hi derek... here goes the report... the program didn't restart immediately so i restarted it...

SmitFraudFix v2.87

Scan done at 15:59:56,95, 11/09/2006
Run from C:\Documents and Settings\John\Escritorio\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Versi¢n 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

C:\WINDOWS\System32\urroxtl.dll -> Hoax.Win32.Renos.gen.b
C:\WINDOWS\System32\urroxtl.dll -> Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted
C:\DOCUME~1\John\ESCRIT~1\SpyQuake2.com.lnk Deleted
C:\DOCUME~1\ALLUSE~1\ESCRIT~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\ESCRIT~1\Security Troubleshooting.url Deleted
C:\DOCUME~1\John\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\John\MENINI~1\SpyQuake2.com 2.3.lnk Deleted
C:\DOCUME~1\John\MENINI~1\PROGRA~1\SpyQuake2.com Deleted
C:\DOCUME~1\ALLUSE~1\MENINI~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\MENINI~1\Security Troubleshooting.url Deleted
C:\Archivos de programa\Safety Bar\ Deleted
C:\Archivos de programa\SpyQuake2.com\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

I'll wait for further instructions... and thanks again!!


----------



## dvk01 (Dec 14, 2002)

post fresh HJT log please


----------



## Shahem (Sep 11, 2006)

hi ... here it goes...

Logfile of HijackThis v1.99.1
Scan saved at 16:31:44, on 11/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\ahead\InCD\InCD.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\D-Link\AirPlus G\AirGCFG.exe
C:\Archivos de programa\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Archivos de programa\Archivos comunes\{80523695-096B-3082-0716-030124200022}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Archivos de programa\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Archivos de programa\ToolBar888\MyToolBar.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Archivos de programa\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Archivos de programa\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Archivos de programa\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135045346137
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135046719230
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winabt32 - C:\WINDOWS\SYSTEM32\winabt32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Archivos de programa\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe


----------



## Shahem (Sep 11, 2006)

Hi Derek... Have you been able to revise my last HJT log list?


----------



## dvk01 (Dec 14, 2002)

furious1

I have moved you to your own thread here

http://forums.techguy.org/security/500725-hijacked.html


----------



## dvk01 (Dec 14, 2002)

Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll (file missing)
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Archivos de programa\ToolBar888\MyToolBar.dll
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Archivos de programa\ToolBar888\MyToolBar.dll
O20 - Winlogon Notify: winabt32 - C:\WINDOWS\SYSTEM32\winabt32.dll

now Start killbox, paste the first file listed below into the full pathname and file to delete box

The file name will appear in the window, select delete on reboot , press the red X button, say yes to the prompt and * NO*to reboot now then repeat for each file in turn

[Note: Killbox makes backups of all deleted files & folders in a folder called C:\!killbox ] If Killbox tells you any files are missing don't worry but make a note and let us know in your next reply

C:\Archivos de programa\ToolBar888\
C:\WINDOWS\SYSTEM32\winabt32.dll

Then on killbox top bar press tools/delete temp files, in the pop up box towards the middle is a drop down box containing a list of all user accounts on this drop down user account box, select your account, select *ALL* options it will allow you to, then then press delete selected temp files , then repeat for every user account listed in that drop down box

then reboot & 
Please download *WebRoot SpySweeper* from *HERE* (It's a 2 week trial):
Click the *Free Trial* link under "Downloads/SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click *Yes*.
Once the definitions are installed, click *Options* on the left side.
Click the *Sweep Options* tab.
Under *What to Sweep* please put a check next to the following:
Sweep Memory Objects
Sweep Windows Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Compressed Files
Sweep for Rootkits
Please *UNCHECK* Sweep System Restore Folder.

Click *Sweep Now* on the left side.
Click the *Start* button.
When it's done scanning, click the *Next* button.
Make sure everything has a check next to it, then click the *Next* button.
It will remove all of the items found.
Click *Session Log* in the upper right corner, copy everything in that window.
Click the *Summary* tab and click *Finish*.
Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.


----------



## dvk01 (Dec 14, 2002)

maru1 I have moved you to your own thread
http://forums.techguy.org/security/500816-hijacked-well.html

Anybody else with the same problem please start your own thread


----------



## Shahem (Sep 11, 2006)

Hi derek... the last post in the thread was for me??... 

John (Shahem)


----------



## dvk01 (Dec 14, 2002)

Yes John (Shahem) that set of instructions were for you 

I moved all the hangers on away I hope


----------



## Shahem (Sep 11, 2006)

Hi Derek, two days ago my mom was using de pc and another virus alert appeared on her user (it also appeared on my dad's, but it hasn't in mine), I hadn't been able to finish fixing the spy-win32 by that time...
This new virus seems to be called Dialer.trojan, at least that's what the norton window showed.
I hope you can help me again.

Thank you very much in advance... John


----------



## dvk01 (Dec 14, 2002)

post a new HJT lopg please


----------



## Shahem (Sep 11, 2006)

There goes the HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 13:56:12, on 23/09/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe
C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Archivos de programa\D-Link\AirPlus G\AirGCFG.exe
C:\PROGRA~1\PRINTV~1\pvmodule.exe
C:\Archivos de programa\Archivos comunes\{80523695-096B-3082-0716-030124200022}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Archivos de programa\Skype\Phone\Skype.exe
C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
C:\Archivos de programa\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Winamp\winamp.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uc.cl/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\System32\ixt0.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Archivos de programa\ToolBar888\MyToolBar.dll
O2 - BHO: PrintViewBHO Class - {D4E0C464-30CE-4075-9A10-71FD106C2847} - C:\PROGRA~1\PRINTV~1\PRINTH~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ToolBar888 - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Archivos de programa\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Archivos de programa\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Archivos de programa\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Archivos de programa\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Archivos de programa\Archivos comunes\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\ARCHIV~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Archivos de programa\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Archivos de programa\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Archivos de programa\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Skype] "C:\Archivos de programa\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Archivos de programa\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: VirtualExpander.lnk = C:\WINDOWS\system32\VirtualExpander\VirtualExpander.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Archivos de programa\Archivos comunes\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Archivos de programa\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Archivos de programa\Archivos comunes\Autodesk Shared\acstart17.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1135045346137
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135046719230
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARCHIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winabt32 - C:\WINDOWS\SYSTEM32\winabt32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Archivos de programa\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Archivos de programa\Archivos comunes\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Archivos de programa\Archivos comunes\EPSON\EBAPI\SAgent2.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe

P.D.: shuld the scan be done in each of the users account or the one i just did in my account will show all infected items?

thanx... John


----------



## dvk01 (Dec 14, 2002)

start with these which will clear up a lot and work on all user accounts regadless which one you run them under

* Download the Trial/Demo version of Ewido Anti Spyware When the trial period expires it becomes freeware with reduced functions but still worth keeping or you have the option of buying a licence for the full version

 EWIDO DOWNLOAD 

* Install ewido.
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the top of the main screen click update
* Click on Start and let it update.
* now boot to safe mode by following advice here http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam
* Now run Ewido:
* Click on scanner then click on settings tab , select all options allowed & select recommended actions and set recommended actions to quarantine then set automatically generate reports after every scan & only if threats were found 
* Now press the scan tab. Click the Complete System Scan button to start the scan.
* When the scan is done you will see a list of infected objects (if any found) At the bottom of the list, Please click on "recommended action"/and choose to Set all Elements to quarantine and check the box "Perform action with all infections".
If you get a warning about a file being in an archive, please choose *yes* to quarantine the entire archive
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Post back with the ewido scan log

then

Please download *WebRoot SpySweeper* from *HERE* (It's a 2 week trial):
Click the *Free Trial* link under "Downloads/SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click *Yes*.
Once the definitions are installed, click *Options* on the left side.
Click the *Sweep Options* tab.
Under *What to Sweep* please put a check next to the following:
Sweep Memory Objects
Sweep Windows Registry
Sweep Cookies
Sweep All User Accounts
Enable Direct Disk Sweeping
Sweep Compressed Files
Sweep for Rootkits
Please *UNCHECK* Sweep System Restore Folder.

Click *Sweep Now* on the left side.
Click the *Start* button.
When it's done scanning, click the *Next* button.
Make sure everything has a check next to it, then click the *Next* button.
It will remove all of the items found.
Click *Session Log* in the upper right corner, copy everything in that window.
Click the *Summary* tab and click *Finish*.
Paste the contents of the session log you copied into your next reply.
Then post a new Hijack This log for EVERY account on teh comnputer


----------



## uhaligani (Apr 6, 2006)

Phew. Two weeks to fix a trojan - and my advice was incorrect? It would have been 13 days quicker to reformat and reinstall!!


----------



## dvk01 (Dec 14, 2002)

foomycoomy

I have moved you to a new thread here

http://forums.techguy.org/security/541399-trojan-spy-win32-mx.html

As this appears to be solved I am closing this thread now if the original poster needs more help please pm me or another moderator who will reopen

Anybody else with the same problem please start your own thread


----------

