Solved

Virus on computerthat symantec cannot remove

Posted on 2006-10-26
29
5,565 Views
Last Modified: 2013-11-16
Hi Folks, not that I'm bagging norton, I have been using norton antivirus for years.  My daughter who is Chinese, uses a separte login and while browsing came accross a Chinese webpage that installed a virus onto my box.  It was first noticed when my daughter couldn't delete three IE shortcuts on the desktop, because every time she did they would just put themselves back there.
They have now installed themselves on my login as well.  Norton is up to date, I have done a full system scan, nothing found.
I rang norton help, got put through to India after paying $70au, as you do, gave away control to the bloke in India to do his bit, as I watched him flounder around without success.
What it does, as the dude in India found out is write a heap of urls to the windows\system32\drivers\etc\hosts file.
You cannot delete them, I even went into safe mode to delete them but they are rewritten stright away.
Sometimes when the system is booted it will hang even before POST has finished, and you have to reboot, it then boots into setup with the error message "the system hung for an improper CPU speed", time to reboot again.
So there is a little program that write the host file, that symantec cannot find, don't know about as the full scan proves, is of Chinese origin and is pissing me off.
Cheers
nedkelly
0
Comment
Question by:Ned_Kelly
  • 15
  • 5
  • 5
  • +2
29 Comments
 
LVL 18

Expert Comment

by:PowerIT
ID: 17811478
Try ewido. It's a free trial for 30 days. http://www.ewido.net/en/download/
If that doesn't help, post your hijackthis log here.
Go to www.hijackthis.de, choose download immediatly. Unzip, run, scan with log.
Upload the log to the hijackthis site, choose analyze, then save and post the resulting url here.

J.
0
 

Author Comment

by:Ned_Kelly
ID: 17811822
O1 - Hosts: 222.189.228.4 www.hao123.com
O1 - Hosts: 222.189.228.4 www.7b.com.cn
O1 - Hosts: 222.189.228.4 www.7939.com
O1 - Hosts: 222.189.228.4 www.360safe.com
O1 - Hosts: 222.189.228.4 360safe.com
O1 - Hosts: 222.189.228.4 update.360safe.com
O1 - Hosts: 222.189.228.4 dl.360safe.com
O1 - Hosts: 222.189.228.4 bbs.360safe.com
O1 - Hosts: 222.189.228.4 count16.51yes.com
O1 - Hosts: 222.189.228.4 count18.51yes.com
O1 - Hosts: 222.189.228.4 count20.51yes.com
O1 - Hosts: 222.189.228.4 www.btbaicai.com
O1 - Hosts: 222.189.228.4 btbaicai.com
O1 - Hosts: 222.189.228.4 www.pctutu.com
O1 - Hosts: 222.189.228.4 www.7322.com
O1 - Hosts: 222.189.228.4 www.5566.net
O1 - Hosts: 222.189.228.4 www.9991.com
O1 - Hosts: 222.189.228.4 forum.ikaka.com
O1 - Hosts: 222.189.228.4 www.ikaka.com
O1 - Hosts: 222.189.228.4 www.piaoxue.com
O1 - Hosts: 222.189.228.4 forum.jiangmin.com
O1 - Hosts: 222.189.228.4 update.jiangmin.com
O1 - Hosts: 222.189.228.4 post.baidu.com
O1 - Hosts: 222.189.228.4 zhidao.baidu.com
O1 - Hosts: 222.189.228.4 update.rising.com.cn
O1 - Hosts: 222.189.228.4 online.rising.com.cn
O1 - Hosts: 222.189.228.4 dl.pconline.com.cn
O1 - Hosts: 222.189.228.4 space.uwants.com
O1 - Hosts: 222.189.228.4 www.pcav.cn
O1 - Hosts: 222.189.228.4 mopery.hits.io
O1 - Hosts: 222.189.228.4 www.goodmv.cn
O1 - Hosts: 222.189.228.4 www.5566.net
O1 - Hosts: 222.189.228.4 www
O1 - Hosts: 5b4
O1 - Hosts: .piaoxue.com
O1 - Hosts: 222.189.228.4 www.luosoft.com
O1 - Hosts: 222.189.228.4 luosoft.com
O1 - Hosts: 222.189.228.4 www.7255.com
O1 - Hosts: 222.189.228.4 dl.pconline.com.cn
O1 - Hosts: 222.189.228.4 www.spjoy.com
O1 - Hosts: 222.189.228.4 c01.caishow.com
O1 - Hosts: 222.189.228.4 c02.caishow.com
O1 - Hosts: 222.189.228.4 c03.caishow.com
O1 - Hosts: 222.189.228.4 c04.caishow.com
O1 - Hosts: 222.189.228.4 www.caishow.com
O1 - Hosts: 222.189.228.4 union.caishow.com
O1 - Hosts: 222.189.228.4 ad01.a8.com
O1 - Hosts: 222.189.228.4 ad02.a8.com
O1 - Hosts: 222.189.228.4 sg.a8.com
O1 - Hosts: 222.189.228.4 www.adanywhere.cn
O1 - Hosts: 222.189.228.4 ip.adanywhere.cn
O1 - Hosts: 222.189.228.4 ip1.adanywhere.cn
O1 - Hosts: 222.189.228.4 ip2.adanywhere.cn
O1 - Hosts: 222.189.228.4 www.bannerbox.cn
O1 - Hosts: 222.189.228.4 www.caiqiyue.com
O1 - Hosts: 222.189.228.4 toolsbar.kuaiso.com
O1 - Hosts: 222.189.228.4 www.kuaiso.com
O1 - Hosts: 222.189.228.4 www.2t2t.cn
O1 - Hosts: 222.189.228.4 3.a.kal.cn
O1 - Hosts: 222.189.228.4 ip.alexaanywhere.com
O1 - Hosts: 222.189.228.4 go.ipcenter.cn
O1 - Hosts: 222.189.228.4 www.2yin.cn
O1 - Hosts: 222.189.228.4 wwww.systeel.com.cn
O1 - Hosts: 222.189.228.4 go.baibaoxiang.cn
O1 - Hosts: 222.189.228.4 www.gao58.com
O1 - Hosts: 222.189.228.4 www.2tu.cn
O1 - Hosts: 222.189.228.4 www.91tu.cn
O1 - Hosts: 222.189.228.4 www.haotop.com
O1 - Hosts: 222.189.228.4 news01.virussky.com
O1 - Hosts: 222.189.228.4 news02.virussky.com
O1 - Hosts: 222.189.228.4 news03.virussky.com
O1 - Hosts: 222.189.228.4 news04.virussky.com
O1 - Hosts: 222.189.228.4 news40.virussky.com
O1 - Hosts: 222.189.228.4 news41.virussky.com
O1 - Hosts: 222.189.228.4 news42.virussky.com
O1 - Hosts: 222.189.228.4 www.an85.com
O1 - Hosts: 222.189.228.4 an85.com
O1 - Hosts: 222.189.228.4 www.
O1 - Hosts: 3e3
O1 - Hosts: ycdy.com
O1 - Hosts: 222.189.228.4 ycdy.com
O1 - Hosts: 222.189.228.4 down.virussky.com
O1 - Hosts: 222.189.228.4 update.virussky.com
O1 - Hosts: 222.189.228.4 www.maipao.com
O1 - Hosts: 222.189.228.4 www.sina-baidu.com
O1 - Hosts: 222.189.228.4 www.maohehe.com
O1 - Hosts: 222.189.228.4 www.1717kan.cn
O1 - Hosts: 222.189.228.4 www.feixue.net
O1 - Hosts: 222.189.228.4 www.xingkongitv.com
O1 - Hosts: 222.189.228.4 about-blank.cc
O1 - Hosts: 222.189.228.4 www.xfkz.com
O1 - Hosts: 222.189.228.4 xfkz.com
O1 - Hosts: 222.189.228.4 www.365tan.com
O1 - Hosts: 222.189.228.4 cg.9e3.com
O1 - Hosts: 222.189.228.4 www.qqplayer.net
O1 - Hosts: 222.189.228.4 www.sosok.com
O1 - Hosts: 222.189.228.4 img.zhangxiu.com
O1 - Hosts: 222.189.228.4 www.okeaa.com
O1 - Hosts: 222.189.228.4 www.winopen.cn
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 17811863
Ned, this is not compleet. That's only bart of a hijackthis log. This only shows your hosts file, but not what might cause this.
You better upload the whole log to analyze on hijackthis.de and then paste the provided link (after you klikked 'save' on the website).

J.
0
 

Author Comment

by:Ned_Kelly
ID: 17812258
Logfile of HijackThis v1.99.1
Scan saved at 10:43:58 PM, on 26/10/2006
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\mshosts.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\ctfmon.exe
G:\Eraser\eraser.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Documents and Settings\Ned Kelly\Desktop\HijackThis.exe

O1 - Hosts: 222.189.228.4 www.hao123.com
O1 - Hosts: 222.189.228.4 www.7b.com.cn
O1 - Hosts: 222.189.228.4 www.7939.com
O1 - Hosts: 222.189.228.4 www.360safe.com
O1 - Hosts: 222.189.228.4 360safe.com
O1 - Hosts: 222.189.228.4 update.360safe.com
O1 - Hosts: 222.189.228.4 dl.360safe.com
O1 - Hosts: 222.189.228.4 bbs.360safe.com
O1 - Hosts: 222.189.228.4 count16.51yes.com
O1 - Hosts: 222.189.228.4 count18.51yes.com
O1 - Hosts: 222.189.228.4 count20.51yes.com
O1 - Hosts: 222.189.228.4 www.btbaicai.com
O1 - Hosts: 222.189.228.4 btbaicai.com
O1 - Hosts: 222.189.228.4 www.pctutu.com
O1 - Hosts: 222.189.228.4 www.7322.com
O1 - Hosts: 222.189.228.4 www.5566.net
O1 - Hosts: 222.189.228.4 www.9991.com
O1 - Hosts: 222.189.228.4 forum.ikaka.com
O1 - Hosts: 222.189.228.4 www.ikaka.com
O1 - Hosts: 222.189.228.4 www.piaoxue.com
O1 - Hosts: 222.189.228.4 forum.jiangmin.com
O1 - Hosts: 222.189.228.4 update.jiangmin.com
O1 - Hosts: 222.189.228.4 post.baidu.com
O1 - Hosts: 222.189.228.4 zhidao.baidu.com
O1 - Hosts: 222.189.228.4 update.rising.com.cn
O1 - Hosts: 222.189.228.4 online.rising.com.cn
O1 - Hosts: 222.189.228.4 dl.pconline.com.cn
O1 - Hosts: 222.189.228.4 space.uwants.com
O1 - Hosts: 222.189.228.4 www.pcav.cn
O1 - Hosts: 222.189.228.4 mopery.hits.io
O1 - Hosts: 222.189.228.4 www.goodmv.cn
O1 - Hosts: 222.189.228.4 www.5566.net
O1 - Hosts: 222.189.228.4 www
O1 - Hosts: 5b4
O1 - Hosts: .piaoxue.com
O1 - Hosts: 222.189.228.4 www.luosoft.com
O1 - Hosts: 222.189.228.4 luosoft.com
O1 - Hosts: 222.189.228.4 www.7255.com
O1 - Hosts: 222.189.228.4 dl.pconline.com.cn
O1 - Hosts: 222.189.228.4 www.spjoy.com
O1 - Hosts: 222.189.228.4 c01.caishow.com
O1 - Hosts: 222.189.228.4 c02.caishow.com
O1 - Hosts: 222.189.228.4 c03.caishow.com
O1 - Hosts: 222.189.228.4 c04.caishow.com
O1 - Hosts: 222.189.228.4 www.caishow.com
O1 - Hosts: 222.189.228.4 union.caishow.com
O1 - Hosts: 222.189.228.4 ad01.a8.com
O1 - Hosts: 222.189.228.4 ad02.a8.com
O1 - Hosts: 222.189.228.4 sg.a8.com
O1 - Hosts: 222.189.228.4 www.adanywhere.cn
O1 - Hosts: 222.189.228.4 ip.adanywhere.cn
O1 - Hosts: 222.189.228.4 ip1.adanywhere.cn
O1 - Hosts: 222.189.228.4 ip2.adanywhere.cn
O1 - Hosts: 222.189.228.4 www.bannerbox.cn
O1 - Hosts: 222.189.228.4 www.caiqiyue.com
O1 - Hosts: 222.189.228.4 toolsbar.kuaiso.com
O1 - Hosts: 222.189.228.4 www.kuaiso.com
O1 - Hosts: 222.189.228.4 www.2t2t.cn
O1 - Hosts: 222.189.228.4 3.a.kal.cn
O1 - Hosts: 222.189.228.4 ip.alexaanywhere.com
O1 - Hosts: 222.189.228.4 go.ipcenter.cn
O1 - Hosts: 222.189.228.4 www.2yin.cn
O1 - Hosts: 222.189.228.4 wwww.systeel.com.cn
O1 - Hosts: 222.189.228.4 go.baibaoxiang.cn
O1 - Hosts: 222.189.228.4 www.gao58.com
O1 - Hosts: 222.189.228.4 www.2tu.cn
O1 - Hosts: 222.189.228.4 www.91tu.cn
O1 - Hosts: 222.189.228.4 www.haotop.com
O1 - Hosts: 222.189.228.4 news01.virussky.com
O1 - Hosts: 222.189.228.4 news02.virussky.com
O1 - Hosts: 222.189.228.4 news03.virussky.com
O1 - Hosts: 222.189.228.4 news04.virussky.com
O1 - Hosts: 222.189.228.4 news40.virussky.com
O1 - Hosts: 222.189.228.4 news41.virussky.com
O1 - Hosts: 222.189.228.4 news42.virussky.com
O1 - Hosts: 222.189.228.4 www.an85.com
O1 - Hosts: 222.189.228.4 an85.com
O1 - Hosts: 222.189.228.4 www.
O1 - Hosts: 3e3
O1 - Hosts: ycdy.com
O1 - Hosts: 222.189.228.4 ycdy.com
O1 - Hosts: 222.189.228.4 down.virussky.com
O1 - Hosts: 222.189.228.4 update.virussky.com
O1 - Hosts: 222.189.228.4 www.maipao.com
O1 - Hosts: 222.189.228.4 www.sina-baidu.com
O1 - Hosts: 222.189.228.4 www.maohehe.com
O1 - Hosts: 222.189.228.4 www.1717kan.cn
O1 - Hosts: 222.189.228.4 www.feixue.net
O1 - Hosts: 222.189.228.4 www.xingkongitv.com
O1 - Hosts: 222.189.228.4 about-blank.cc
O1 - Hosts: 222.189.228.4 www.xfkz.com
O1 - Hosts: 222.189.228.4 xfkz.com
O1 - Hosts: 222.189.228.4 www.365tan.com
O1 - Hosts: 222.189.228.4 cg.9e3.com
O1 - Hosts: 222.189.228.4 www.qqplayer.net
O1 - Hosts: 222.189.228.4 www.sosok.com
O1 - Hosts: 222.189.228.4 img.zhangxiu.com
O1 - Hosts: 222.189.228.4 www.okeaa.com
O1 - Hosts: 222.189.228.4 www.winopen.cn
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {69D23154-CA31-43E9-BEEB-F78E6D1642B3} - C:\WINDOWS\system32\3721.6.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [YeppStudioAgent] C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [R] C:\WINDOWS\System32\rundll32.exe ctfmon.dll s
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Eraser] "G:\Eraser\eraser.exe" -hide
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01118F00-3E00-11D2-8470-0060089874ED} (SupportSoft RemoteControl Class) - http://symantec.atgnow.com/sdccommon/download/ssrc.cab
O16 - DPF: {01119400-3E00-11D2-8470-0060089874ED} (SupportSoft Listener Control) - http://symantec.atgnow.com/sdccommon/download/sprtctlln.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096554288138
O16 - DPF: {8EC18CE2-D7B4-11D2-88C8-006008A717FD} (NCSView Class) - http://dolalol.landonline.com.au/iws/panairama/ecwplugins/ncs.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: host Service For Windows (mshosts) - Unknown owner - C:\WINDOWS\mshosts.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: UStorage Server Service - Unknown owner - C:\WINDOWS\system32\UStorSrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

0
 

Author Comment

by:Ned_Kelly
ID: 17812299
AVG found this trojan.Agent.ix quarantined it, and then I deleted the three shortcuts, rebooted like it said, but the three shortcuts have come back as well.
AVG found the same trojan again and I did the same again so did it.
Regards nedkelly
0
 
LVL 18

Expert Comment

by:PowerIT
ID: 17812403
OK, boot your PC in safe mode, disable system repair.
Delete the file c:\windows\mshosts.exe
Start hijackthis again, do a scan and repair the following:
- ALL the O1's
- O2 - BHO: (no name) - {69D23154-CA31-43E9-BEEB-F78E6D1642B3} - C:\WINDOWS\system32\3721.6.dll
- O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
- O23 - Service: host Service For Windows (mshosts) - Unknown owner - C:\WINDOWS\mshosts.exe

Reboot and - if you want it - enable system repair.
Hope this helps. Let me know the results, and if it was negative post a new hijack log.

J.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17812672
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17816935

1.  Download Pocket Killbox.
http://www.atribune.org/downloads/KillBox.exe
*Select the "Delete on Reboot" option.
*Select "All Files"
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\mshosts.exe
C:\WINDOWS\System32\ctfmon.dll
C:\WINDOWS\system32\3721.6.dll

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
*If the computer doesn't restart, just restart manually.


Fix these entries:
All the 01 entries
O2 - BHO: (no name) - {69D23154-CA31-43E9-BEEB-F78E6D1642B3} - C:\WINDOWS\system32\3721.6.dll
O4 - HKLM\..\Run: [R] C:\WINDOWS\System32\rundll32.exe ctfmon.dll s
O23 - Service: host Service For Windows (mshosts) - Unknown owner - C:\WINDOWS\mshosts.exe



2.  Also download and run MS Removal tool:
http://support.microsoft.com/?kbid=890830


3.  Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Please then reboot your computer in "Safe Mode" by doing the following:
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, a menu with options should appear;
[*]Select the first option, to run Windows in Safe Mode, then press "Enter".
[*]Choose your usual account.

[*] In Safe Mode, right click the SDFix.zip folder and choose "Extract All",
[*] Open the extracted folder and double click [b]RunThis.bat[/b] to start the script.
[*] Type Y to begin the script.
[*] It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] Your system will take longer that normal to restart as the fixtool will be running and removing files.
[*] When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
[*] Finally open the SDFix folder on your desktop and copy and paste the contents of the log and post it here.
0
 
LVL 18

Expert Comment

by:Rartemass
ID: 17817281
You could always format the PC.
If you don't have an image of the PC (using ghost for example) then I suggest getting bartPE.
(http://www.nu2.nu/pebuilder/download/)

Once you have rebuilt the system run Bart and create an image.
If this happens again you can simply reimage the PC and be up and running in less than 30 minutes.
0
 

Author Comment

by:Ned_Kelly
ID: 17818357
Hi Folks, what choice.  I have tried PowerIt and got rid of some of the rubbish but others are doing stuff now.
I tried the rootkit reveal

HKLM\S-1-5-21-1801674531-1078145449-1202660629-1003\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1002\Filename      5/1/2005 7:51 PM      11 bytes      Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1801674531-1078145449-1202660629-1003\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1002\Description      5/1/2005 7:51 PM      25 bytes      Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1801674531-1078145449-1202660629-1003\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1003\Filename      5/5/2005 8:54 PM      11 bytes      Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1801674531-1078145449-1202660629-1003\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1003\Description      5/5/2005 8:54 PM      25 bytes      Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1801674531-1078145449-1202660629-1003\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1006\Filename      12/2/2005 9:48 PM      11 bytes      Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1801674531-1078145449-1202660629-1003\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1006\Description      12/2/2005 9:48 PM      25 bytes      Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1801674531-1078145449-1202660629-1003\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1007\Filename      6/5/2006 2:19 PM      11 bytes      Data mismatch between Windows API and raw hive data.
HKLM\S-1-5-21-1801674531-1078145449-1202660629-1003\Control Panel\Microsoft Input Devices\Mouse\Exceptions\1007\Description      6/5/2006 2:19 PM      25 bytes      Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed      10/27/2006 8:06 PM      80 bytes      Data mismatch between Windows API and raw hive data.

0
 

Author Comment

by:Ned_Kelly
ID: 17818370
I tried the delete on reboot using HijackThis but it doesn't seem to have done the trick
0
 

Author Comment

by:Ned_Kelly
ID: 17818394
I don't really want to reformat as I have done that too many times already in the past ten years.  I have two large assignments due in a month and homework every week.  But thats cool
The principal of least privilege sounds good but I have to give some leeway, she will learn from this and so will I.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17818571
RootKitRevealer didn't show any root kit, the data you see is benign
Data mismatch between Windows API and raw hive data.
This discrepancy will occur if a Registry value is updated while the Registry scan is in progress. Values that change frequently include timestamps such as the Microsoft SQL Server uptime value, shown below, and virus scanner "last scan" values. You should investigate any reported value to ensure that its a valid application or system Registry value.

Make sure system restore is off for all your drives, try to remove the pest and then reboot.
-rich
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17818598
Killbox didn't delete those files at reboot? did you get any error?
Did you also try MS Removal too or SDFix?
2 of the files were SDBot/IRCBot


Try this one, this is beta tool for chinese infections.
Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/zh/BetaB/combofix.exe
and save it to your desktop.

Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

"%userprofile%\desktop\combofix.exe" /wow


Boot into safe mode by tapping the F8 key just before Windows starts to load.

Go Start > Run, and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /wow

When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:Ned_Kelly
ID: 17818603
Sys restore is off, I have the windows malicious removal tool running so I will see how that goes.
0
 

Author Comment

by:Ned_Kelly
ID: 17818728
the windows malicious removal tool found no malicious files
0
 

Author Comment

by:Ned_Kelly
ID: 17819068
Ok folks, here is the ComboFix log

ComboFix 06.10.27.3.W - Running from: "C:\Documents and Settings\Ned Kelly\desktop"
Command switches used :: /wow

((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\INSTALL.LOG
C:\Program Files\Internet Explorer\iexplore.jmp
C:\INSTALL.LOG
C:\riched32.dll
C:\wz041.dll
C:\WINDOWS\system32\ctfmon.dll
C:\Documents and Settings\Ned Kelly\Application Data\Macromedia\Flash Player\#SharedObjects\EV9HHWXP\www.inter-focus.cn
C:\Documents and Settings\Ned Kelly\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn


(((((((((((((((((((((((((((((((   Files Created from 2006-09-27 to 2006-10-27  ))))))))))))))))))))))))))))))))))
 
 
2006-10-27      18:15      42,278      --a------      C:\cf12.dll
2006-10-26      22:28      3,968      --a------      C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-24      19:58      211      --a------      C:\win_help_flag_6_2.bat
2006-10-24      19:57      324      --a------      C:\win_help_flag_6_1.bat
2006-10-18      18:40      46,391      --a------      C:\WINDOWS\cq.exe
2006-10-18      18:40      33,792      --a------      C:\WINDOWS\GetXyPwd.exe
2006-10-18      18:39      152      --a------      C:\win_help_flag_5_1.bat
2006-10-18      18:37      429,568      ---------      C:\cha.exe
2006-10-17      22:07      85      --a------      C:\$$a.bat


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))      


2006-10-27 21:43      --------      d--------      C:\Program Files\Internet Explorer
2006-10-27 18:05      --------      d--------      C:\Program Files\Common Files\Symantec Shared
2006-10-26 22:27      --------      d--------      C:\Program Files\Grisoft
2006-10-26 21:52      --------      d--------      C:\Program Files\AutoIt3
2006-10-26 20:38      --------      d--------      C:\Program Files\Opera
2006-10-26 19:58      --------      d--------      C:\Program Files\Opera 9 Beta
2006-10-23 19:18      --------      d--------      C:\Program Files\Emule
2006-10-22 21:55      --------      d--------      C:\Program Files\Maxthon
2006-10-20 19:31      --------      d--------      C:\Program Files\Norton SystemWorks
2006-10-17 22:07      85      --a------      C:\$$a.bat
2006-10-17 19:35      --------      d--------      C:\Documents and Settings\Ned Kelly\Application Data\Real
2006-10-17 19:33      --------      d--------      C:\Program Files\Common Files\xing shared
2006-10-17 19:33      --------      d--------      C:\Program Files\Common Files\Real
2006-10-17 19:33      --------      d--------      C:\Program Files\Common Files
2006-10-17 19:32      --------      d--------      C:\Program Files\Real
2006-10-06 20:51      --------      d--------      C:\Program Files\Symantec
2006-10-06 20:41      --------      d--------      C:\Program Files\Norton AntiVirus
2006-10-02 15:47      --------      d--------      C:\Program Files\iMediaCodec
2006-09-17 21:56      --------      d--------      C:\Program Files\Aspell
2006-09-15 22:04      48816      --a------      C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-15 22:04      109744      --a------      C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-11 16:30      275112      --a------      C:\WINDOWS\system32\drivers\srtspl.sys
2006-09-11 16:30      243368      --a------      C:\WINDOWS\system32\drivers\srtsp.sys
2006-09-11 16:30      24232      --a------      C:\WINDOWS\system32\drivers\srtspx.sys
2006-09-03 03:35      613056      --a------      C:\WINDOWS\system32\SymNeti.dll
2006-09-03 03:35      36032      --a------      C:\WINDOWS\system32\drivers\symndisv.sys
2006-09-03 03:35      239808      --a------      C:\WINDOWS\system32\SymRedir.dll
2006-09-03 03:35      186048      --a------      C:\WINDOWS\system32\drivers\symtdi.sys
2006-09-03 03:34      39104      --a------      C:\WINDOWS\system32\drivers\symids.sys
2006-09-03 03:34      33216      --a------      C:\WINDOWS\system32\drivers\symndis.sys
2006-09-03 03:34      26432      --a------      C:\WINDOWS\system32\drivers\symredrv.sys
2006-09-03 03:34      144832      --a------      C:\WINDOWS\system32\drivers\symfw.sys
2006-09-03 03:34      11968      --a------      C:\WINDOWS\system32\drivers\symdns.sys
2006-09-01 21:56      --------      d--------      C:\Program Files\ChineseTools
2006-09-01 19:06      --------      d---s----      C:\Documents and Settings\Ned Kelly\Application Data\Microsoft
2006-08-18 20:11      1056      --ahs----      C:\WINDOWS\system32\KGyGaAvL.sys
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Eraser"="\"G:\\Eraser\\eraser.exe\" -hide"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"EM_EXEC"="C:\\PROGRA~1\\Logitech\\MOUSEW~1\\SYSTEM\\EM_EXEC.EXE"
"WINDVDPatch"="CTHELPER.EXE"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"Jet Detection"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"QD FastAndSafe"=""
"MSPY2002"="C:\\WINDOWS\\System32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"GhostStartTrayApp"="C:\\Program Files\\Norton SystemWorks\\Norton Ghost\\GhostStartTrayApp.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"YeppStudioAgent"="C:\\Program Files\\Samsung\\Samsung Media Studio\\SamsungMediaStudioAgent.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\"  -osboot"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,00,00,00,\
  00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
  ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
  00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NVMCTRAY.DLL,NvTaskbarInit"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"="Eudora's Shell Extension"
"{1A404685-7563-4d02-B0F6-58B308A406A9}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"WizmaxBackup_NoDriveTypeAutoRun"=dword:000000ff

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:000000ff
"WizmaxBackup_NoDriveTypeAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
"backup"="C:\\WINDOWS\\pss\\AutoCAD Startup Accelerator.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\AUTODE~1\\ACSTAR~1.EXE "
"item"="AutoCAD Startup Accelerator"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]      
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService      REG_MULTI_SZ         Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService      REG_MULTI_SZ         DnsCache\0\0
netsvcs      REG_MULTI_SZ         6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0TermService\0wuauserv\0BITS\0ShellHWDetection\0helpsvc\0uploadmgr\0WmdmPmSN\0\0\0
rpcss      REG_MULTI_SZ         RpcSs\0\0
imgsvc      REG_MULTI_SZ         StiSvc\0\0
termsvcs      REG_MULTI_SZ         TermService\0\0

 
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Ned Kelly.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job

Completion time: 06-10-27 21:43:42.23
C:\ComboFix.txt ... 06-10-27 21:43
0
 

Author Comment

by:Ned_Kelly
ID: 17819078
I deleted the last of the IE shortcuts that kept coming back, and it hasn't reappeared as yet, fingers crossed.
0
 

Author Comment

by:Ned_Kelly
ID: 17819138
Ie just jumped to a Chinese webpage, I checked still no shortcut on the desktop.
0
 

Author Comment

by:Ned_Kelly
ID: 17819272
Its certainly behaving better, catch you tomorrow when I'm not so sleepy.  Thanks everyone
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 500 total points
ID: 17819284
ChineseTools <-- did you install this program? if you did not then uninstall it.

Did you also fix all those 01 Hosts entries in Hijackthis?

C:\WINDOWS\mshosts.exe<-- make sure this file is gone

Can you submit these files below at jotti for an online check? -->http://virusscan.jotti.org/
C:\cf12.dll
C:\win_help_flag_6_2.bat
C:\win_help_flag_6_1.bat
C:\win_help_flag_5_1.bat
C:\cha.exe
C:\$$a.bat
C:\WINDOWS\GetXyPwd.exe



iMediaCodec <-- this program belongs to smitfraud infection, although smitfraud wasn't showing in your logfile.

let's run smitfraudfix.
Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.
 
Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd
 
Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.
 
You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.
 
The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".
 
The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt



0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17819944
0
 

Author Comment

by:Ned_Kelly
ID: 17825406
Hi Folks, I have done everything suggested and the system seems to be cruising better than ever.  
Thanks for everything to all of you for all your help.  I am going to choose rpggamergirl and up the points to 500.
You have shown me a whole new way to deal with the little buggers, of which I am greatful.
Again thankyou very much rpggamergirl
Regards nedkelly
0
 

Author Comment

by:Ned_Kelly
ID: 17825413
Chinese Tools is a Chinese dictionary program.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17825479
>>Chinese Tools is a Chinese dictionary program.<<
thanks, I should've googled it, lol.

No problem, glad to know we could be of assistance.
Thank you very much for accepting my answer and the points with an "A" grade!
Very much appreciated thank you.

If there's anything we can help you with just let us know, you still have a week before this topic is locked.

For future reference, if you like to read Tony Kleins article on security tips:
http://www.castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html

Good luck with your assignments,  and happy computing! :)
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17827051
Bah band-aids on the cancer... LUP will save your from having to run all that anti-this anti-that...
http://richrumble.blogspot.com/2006/08/anti-admin-vs-anti-virus.html
http://clintonforbes.blogspot.com/2006/10/10-pros-cons-of-switching-from-windows.html (second to last paragraph in the blog is the key...)
Notice I didn't say anything about viruses, trojans, spy-ware? I haven't been infected in three months on the Apple, but I haven't been infected for 8 years since installing NT 4, Windows 2000 or Windows XP. Why? I don't run as an administrator. This simple action protects you from about 99% of malicious software. It is a simple fact.
-rich
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 17827197
Disabling nasties at msconfig startup and not continuing to clean the pc of what is already in the system is what I would rather call "bandaid on the cancer" because the user is just stopping them from running but the nasty is still present in the system waiting to take action when chances arise.

Or half removing an infection, like using smitfraudfix on SpyAxe and SpywareQuake without clearing the trusted zone which respawn the infection.
But usually, specific tools created by malware experts do remove specific infections(files and relevant reg entries)when use accordingly.

Operating a pc without admin priveleges is a very good idea if it suits someone's needs, it wouldn't suit me unfortunately.
For some people who has to be an admin to run the pc, they just have to take some basic security steps and know what not to do.
It's been nearly 2 years since my pc was messed up with viruses and all(hence started my fight against malware/viruses)
I don't have all these "anti..this and anti..that" either, some of them slowdown the system.
But sometimes you do need to run these programs when you're infected.
What I have is the Zone Alarm free firewall, an updated antivirus, SpywareBlaster which suits me very much because my only browser is IE, SpywareBlaster doesn't need to run in the background to protect me.
And I have Spybot Tea Timer on, and lucky for me I haven't had the need to scan my pc for malware/viruses for a very long time (but I suggest everyone should scan their pc for malware/viruses regularly)

Yes I agree, operating a pc without any admin privileges is a great idea! if it suits your needs go for it.
Good luck!
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 17827478
To be certain, to remove you need these tools, no doubt. I run McAfee, XP's firewall, and FireFox/Opera ... IE last resort. No spyware ever.
M$ will be helping apply LUP with Vista... and it's about time...
http://interviews.slashdot.org/article.pl?sid=06/10/27/1549259 (the answer in Question 4)
 http://www.eweek.com/article2/0,1895,1830649,00.asp
http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/158806.aspx <--- must read straight from M$ itself
http://blogs.msdn.com/aaron_margosis/archive/2004/06/17/157962.aspx
I am encouraging others to use LUA the links above should help, and there are many tool as well: http://nonadmin.editme.com/UsefulTools
I don't make system changes everyday, nor install/uninstall software each day, I don't need admin for day-to-day tasks.
i'll clam up now.
-rich
0
 

Author Comment

by:Ned_Kelly
ID: 17828368
hi Folks, good to see the ramble is still going.
I personally use, Zone alarm firewall, norton antivirus and ad-aware when I remember to do it.
This is the first virus that has got through the system in nearly four and a half years.  
All attempts have been picked up by the system and never been a problem.
My daughters log in is so she cannot play with the system, I might have to change that so she cannot install as well,
though it is the first time that anything has happened so I think I will do the re-education and go from there.
If drive C:\ goes then I still have the data on the other drives.  I do take school work off onto DVD as well as some other files.
I also used to ghost it, but then the  ghost was starting to be bigger than the space I had on the drive so I stopped,
though I know if I cleaned the system and took everything off that I didn't really need on there, I would have enough space
for plenty of ghosts.
Again thanks for all the comments and links, greatly appreciated.
nedkelly
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now