Author Topic: I Need Help with WebSiteViewer (Read 802 times)

Aaron07 · « **on:** March 14, 2005, 01:21:00 PM »

I'm using Windows XP home edition and I've tried to delete WebSiteViewer several times. I have used Spybot, Adaware, norton anti-virius 2005 and trojan remover but none have worked. My HijackThis log is below.

Logfile of HijackThis v1.99.1
Scan saved at 12:02:29 PM, on 3/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\netlm32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7F0F2565-877E-9354-50D9-CAEBA6908734} - C:\WINDOWS\system32\iedu32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [sysyr.exe] C:\WINDOWS\sysyr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\PCUSER~1\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O9 - Extra 'Tools' menuitem: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CADB507-F086-4767-8B91-F02AAEB07C88}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2748D4B-A5EA-4DFF-80D7-9950FB7DDD45}: NameServer = 166.102.165.13,166.102.165.11
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: AOpen NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\netlm32.exe

guestolo · « **Reply #1 on:** March 14, 2005, 10:20:39 PM »

I need you too download a few tools please

===Download and Save Clear.zip
[attachment=62:attachment]
UNZIP the contents to desktop
Now you should have fix.reg and cwsserviceremove.reg on your desktop
Don't run them yet, we'll need them later

===Download to desktop About:Buster.zip
by RubbeR Ducky
Unzip the contents to desktop, a folder will be placed on your desktop
Open it and run About:buster.exe
Click the Update Button and check for updates, if any, download them
Then close it for now, we'll need this later

===Download and Install this small program
to help clean your temp folders,cookies,prefetch folder, etc...
Windows Cleanup
Install for now, don't run a scan yet

===Download and save to desktop
HSFIX.zip
Unzip the contents of HSFix.zip and an HSFix directory will be created
We'll need this later

Please open and empty Notepad file
START>>RUN>>type in notepad
Hit OK
Save the rest of these instructions to that empty notepad file and place it on your Desktop for easy Access

===Important
RESTART your Computer in SAFE MODE

===Next: Go to START>>>RUN>>>type in services.msc
and hit Enter
In the next window, look on the right hand side for this service
name---- Network Security Service

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled
from Automatic

======Open Hijackthis>>Open Misc Tools Section>>Open "Delete an NT Service"
Copy and Paste the next entry in bold to the blank box and hit OK

Network Security Service

Do the same for this service name

 6QÔõ'ª´ÆÐ8

===Stay in safe mode and navigate to these files or folders and delete them if they exist
C:\WINDOWS\netlm32.exe <--file
C:\WINDOWS\system32\iedu32.dll <-file
C:\WINDOWS\sysyr.exe <-file

These next files also if found
C:\misb.exe <--this file
C:\WINDOWS\ibs.exe <--file, if found

C:\Program Files\WebSiteViewer <--this folder

Look for any of these files and delete them
you may want to do a search for the bolded files too
C:\Documents and Settings\YOUR USER\desktop\sexcam.lnk <--file
C:\Documents and Settings\YOUR USER\start menu\sexcam.lnk <--file

Also check other user accounts including All Users account
If you see this folder delete it too
C:\WINDOWS\System32\Cache <--this folder,in the exact location, let me know if you find it

===In safe mode
Do another Scan with Hijackthis and put a check next to these entries
and then FIX CHECKED when ALL other windows are closed

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {7F0F2565-877E-9354-50D9-CAEBA6908734} - C:\WINDOWS\system32\iedu32.dll

O4 - HKLM\..\Run: [sysyr.exe] C:\WINDOWS\sysyr.exe

O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\PCUSER~1\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe

O4 - Startup: PowerReg Scheduler V3.exe

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab

O23 - Service: Network Security Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\netlm32.exe

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Navigate to About:buster you unzipped and updated earlier
===Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log... Then hit exit
You may have to scan more than twice, try 3 or 4 times until no files or Data Streams are found

===Double click on cwsserviceremove.reg and allow it to merge to the registry

===Double click on fix.reg and allow to merge

===Navigate to the HSFix directory and double-click on HSFix.bat.
* It will produce a log file, located here: C:\hslog.txt. <--we'll need this later

===Open Windows CleanUp!>>START>>All programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files

===RESTART back in Normal mode

===Look for shell.dll in your C:\Windows\system32 folder
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder

===# Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

===I know you have Norton's installed, but you may want to temporarily disable it and also try an Online virus scan at Panda's
Save the report afterwards
http://www.pandasoftware.com/activescan/co...n_principal.htm

===Post back a fresh Hijackthis log
Also the logs from About:Buster
Also the report from Panda's if you ran the scan
And the log produced from HSFix.bat>>C:\hslog.txt <-this log

Could you also Open Hijackthis>>Open Misc tools>>Open Hosts file manager
click the "Open In Notepad" button
Notepad should open with your Hosts entries
Copy and paste back here the Whole contents of the Hosts notepad file

You mentioned you have Spybot>>Is it Spybot version 1.3?
I see Spyware Doctor installed, I want to be sure
I'm just checking....

Aaron07 · « **Reply #2 on:** March 15, 2005, 05:04:46 PM »

yes my I have spybot 1.3 and also have Spyware Doctor installed, I'm about to reboot in safe mode so I'll post my logs as soon has I finish and thank you for your help.

Aaron07 · « **Reply #3 on:** March 15, 2005, 06:32:08 PM »

k I've done all of the steps, here's my log files.

About:Buster
Scanned at: 4:43:17 PM on: 3/15/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

No ADS found on system
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\feivi.dat
Removed! : C:\WINDOWS\fhmap.dat
Removed! : C:\WINDOWS\lgokx.dat
Removed! : C:\WINDOWS\System32\nynrb.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

HSfix:
cerbmod.dll

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 4:33:47 PM, on 3/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\mmc.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\oyuip.dll/sp.html#69447
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7F0F2565-877E-9354-50D9-CAEBA6908734} - C:\WINDOWS\system32\iedu32.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [sysyr.exe] C:\WINDOWS\sysyr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Tray Temperature] C:\DOCUME~1\PCUSER~1\LOCALS~1\Temp\MiniBug.exe 1
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O9 - Extra 'Tools' menuitem: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2748D4B-A5EA-4DFF-80D7-9950FB7DDD45}: NameServer = 166.102.165.13,166.102.165.11
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: AOpen NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

guestolo · « **Reply #4 on:** March 15, 2005, 07:19:32 PM »

Can you tell me what steps you did from what I posted, because it definitely looks like you missed some steps
I just want to be sure so I don't have to repeat myself

Aaron07 · « **Reply #5 on:** March 15, 2005, 07:20:30 PM »

the Pandascan logfile:

Incident Status Location

Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\PC User\Favorites\Only sex website.url
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\Downloaded Program Files\bridge.

Adware:Adware/SideSearch No disinfected Windows Registry
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\PC User\Favorites\Sites about\Ab scissor.url
Adware:Adware/Delta No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Manager\Downloads\AlertSWF\contents\Exec.exe
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\PC User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-3cf24c6a-43c1935e.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\PC User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5d989a67-38bed599.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\PC User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-51607092.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\PC User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-51607092.zip[VBUG.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\PC User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-51607092.zip[Dummy.class]
Virus:Trj/StartPage.JU Disinfected C:\Documents and Settings\PC User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-51607092.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\PC User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-39c10a1a-5cf70b21.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\PC User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a912fd2-5ad6b4ba.zip[A.class]
Spyware:Spyware/New.net No disinfected C:\Program Files\NewDotNet\newdotnet6_22.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crip32.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_85.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_48.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_64.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_10.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\netlm32.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\oyuip.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\qbori.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\READREG
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\rkpdn.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\crdr.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\system32\iesc32.exe
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\system32\jceqi.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\rpwbk.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\system32\twaco.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\system32\uompd.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/StartPage.BK No disinfected C:\WINDOWS\uygnc.dll

and the host entries had nothing in it, and I don't know if I messed up or not

guestolo · « **Reply #6 on:** March 15, 2005, 07:26:11 PM »

Actually Aaron, before I even start looking over this log again I need to see a new Hijackthis log
After you have Restarted to Normal mode
You appeared to supply one in Safe mode

Could you also post this log
Don't tell me what you see in it, but post it
C:\hslog.txt <-this log, it must be Unzipped before you ran the fix

Aaron07 · « **Reply #7 on:** March 15, 2005, 07:48:45 PM »

all that's in hslog.txt is cerbmod.dll.

Logfile of HijackThis v1.99.1
Scan saved at 6:43:24 PM, on 3/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Pro

gram Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O9 - Extra 'Tools' menuitem: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CADB507-F086-4767-8B91-F02AAEB07C88}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2748D4B-A5EA-4DFF-80D7-9950FB7DDD45}: NameServer = 166.102.165.13,166.102.165.11
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: AOpen NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

guestolo · « **Reply #8 on:** March 15, 2005, 07:50:25 PM »

Did you make sure that you Unzipped HSFix before running it?
Not that we may need it, but I'm just curious

Aaron07 · « **Reply #9 on:** March 15, 2005, 08:09:00 PM »

yes I unzipped before using HSfix.

guestolo · « **Reply #10 on:** March 15, 2005, 08:51:30 PM »

Let's try the following
NewDotNet has been known to hijack your Winsock settings, I don't see this in your case
But could you for now
Download and Unzip to your Desktop LSPfix.zip
http://www.cexx.org/lspfix.htm
We have it just in case we need it

Also Download and save to deskop the Standalone version of CWShredder.exe

One more download
===Download the The Hoster
Unzip it to a folder
We'll need this later

===Download the Pocket Killbox
UNZIP it to a folder of your choice

Please copy and paste these instructions to an empty Notepad file and leave it on your desktop and then Disconnect completely from the Internet
Open these instructions and leave them open until we have restarted your computer

Do another scan with Hijackthis and put a check next to these entries:

R3 - Default URLSearchHook is missing

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open your Control Panel>>Open the Java Plugin
click the Cache Tab and Clear the cache

Run Pocket KillBox>>Now you have Killbox and this notepad file open

In Killbox
At the main screen of Pocket Killbox

In the Full Path of File to Delete box, copy and paste this entry:

C:\WINDOWS\crip32.exe

use the Delete on Reboot radio button
Press the Delete file button >>The Red circle and a white X.
If asked to Reboot now, Don't yet

Do the same for the rest below
Additionally, use the "Unregister .dll before deleting" option for any .dll file
Before selecting the Delete file button

==============================================

C:\Documents and Settings\PC User\Favorites\Only sex website.url
C:\Documents and Settings\PC User\Favorites\Sites about\Ab scissor.url
C:\WINDOWS\NDNuninstall4_85.exe
C:\WINDOWS\NDNuninstall5_48.exe
C:\WINDOWS\NDNuninstall5_64.exe
C:\WINDOWS\NDNuninstall6_10.exe
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\netlm32.exe
C:\WINDOWS\READREG
C:\WINDOWS\system32\crdr.exe
C:\WINDOWS\system32\iesc32.exe
C:\WINDOWS\rkpdn.dll
C:\WINDOWS\oyuip.dll
C:\WINDOWS\qbori.dll
C:\WINDOWS\system32\jceqi.dll
C:\WINDOWS\system32\rpwbk.dll
C:\WINDOWS\system32\twaco.dll
C:\WINDOWS\system32\uompd.dll
C:\WINDOWS\system32\xmlparse.dll
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\uygnc.dll

=================================================

After entering the the last path into Killbox
Allow the computer to Reboot
or Restart the computer anyways

Back in Windows

Don't open a browser yet, instead,
With Only CWShredder open click the FIX button
Allow to fix any problems and
Restart your computer again

Back in Windows
Open HOSTER and click the "Restore Original Hosts" button

===If you have SPYBOT 1.3 installed
Download this file SDHelper13.zip
Save the Zip file to your desktop and Unzip it to your C:\Program Files\Spybot - Search & Destroy folder
To ensure it's enabled...Open Spybot>>Immunize
Put a tick next to "Enable Permanent blocking of bad addresses in IE"

Find and delete these folders
C:\Program Files\NewDotNet <--folder
C:\Documents and Settings\All Users\Application Data\Viewpoint <-folder

Could you also make sure that any of those files found bad by Pandas are gone

Post back with a fresh Hijackthis log afterwards

Could you also
===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad, not including the word Quote
In Notepad click FILE>>SAVE AS

Name the file as Export.bat

Save this file on the desktop

Quote

@echo off
cd\
cd\WINDOWS\Downloaded Program Files
dir /a /Q * >C:\dpflist.txt
start=C:\dpflist.txt
cls
exit

Double click on Export.bat and post back the dpflist.txt log that opens

Aaron07 · « **Reply #11 on:** March 17, 2005, 06:12:59 PM »

the dpflist.txt file

Directory of C:\WINDOWS\Downloaded Program Files

03/15/2005 05:12 PM <DIR> BUILTIN\Administrators .
03/15/2005 05:12 PM <DIR> BUILTIN\Administrators ..
08/04/2003 02:35 PM 171 COLORTYM-UPUKM5\PC Userampx.inf
02/08/2005 10:52 AM 110,592 COLORTYM-UPUKM5\PC Userasinst.dll
02/08/2005 10:54 AM 525 COLORTYM-UPUKM5\PC Userasinst.inf
03/03/2004 08:38 PM 309 COLORTYM-UPUKM5\PC Userbridge.inf
07/02/2003 02:39 PM 65 BUILTIN\Administrators desktop.ini
10/14/1997 05:52 PM 697 BUILTIN\Administrators DirectAnimation Java Classes.osd
02/16/2004 02:42 PM 118,784 COLORTYM-UPUKM5\PC UserDoomCln.dll
02/16/2004 02:10 PM 306 COLORTYM-UPUKM5\PC UserDOOMCLN.INF
06/21/2004 06:11 PM 294,912 COLORTYM-UPUKM5\PC UserFilePlanetDownloadCtrl.dll
08/02/2002 09:26 AM 126,976 COLORTYM-UPUKM5\PC Usergsda.dll
09/05/2001 04:22 AM 24,576 COLORTYM-UPUKM5\PC UseriSetup.dll
09/05/2001 04:21 AM 159,744 COLORTYM-UPUKM5\PC UseriSetup.exe
09/05/2001 04:22 AM 411 COLORTYM-UPUKM5\PC Userisetup.inf
01/29/2004 03:02 PM 409 COLORTYM-UPUKM5\PC UserITDetector.inf
08/25/2003 06:12 PM 1,096 COLORTYM-UPUKM5\PC Useriuctl.inf
01/20/2000 02:25 PM 1,162 BUILTIN\Administrators Microsoft XML Parser for Java.osd
04/26/2004 03:23 PM 253 COLORTYM-UPUKM5\PC Usersoesysinfo.inf
04/26/2004 03:29 PM 86,016 COLORTYM-UPUKM5\PC Usersoesysinfo.ocx
12/08/2003 12:58 PM 3,759 COLORTYM-UPUKM5\PC Userswflash.inf
08/03/2004 02:51 PM 293 COLORTYM-UPUKM5\PC Userwuweb.inf
03/24/2004 06:17 PM 1,777 COLORTYM-UPUKM5\PC Userxscan.inf
03/24/2004 05:22 PM 435,712 COLORTYM-UPUKM5\PC Userxscan53.ocx
22 File(s) 1,368,545 bytes
2 Dir(s) 34,348,134,400 bytes free

HijackThis log files

Logfile of HijackThis v1.99.1
Scan saved at 5:11:05 PM, on 3/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKCU\..\Run: [TurboConnect] C:\PROGRA~1\TURBOC~1\TurboConnect.exe 1
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - blank (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O9 - Extra 'Tools' menuitem: My IP Suite - {FB5F1910-F110-11d2-BB9E-80C04F795683} - C:\Program Files\My IP Suite\MyIPSuite.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B3872502-F9FD-4E96-93FF-0D37298F0689} (SOESysInfo Control) - http://swgbetareg.station.sony.com/soesysinfo.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/d.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CADB507-F086-4767-8B91-F02AAEB07C88}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{A2748D4B-A5EA-4DFF-80D7-9950FB7DDD45}: NameServer = 166.102.165.13,166.102.165.11
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: AOpen NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

also on a side note, for the past 3 months my computer has been rebooting on its own, I have no clue what's causing this but it's really getting annoying.

guestolo · « **Reply #12 on:** March 17, 2005, 11:15:02 PM »

Right click the "My Computer" icon
Left click Properties
Click the Advanced tab
Under Startup and Recovery
Click Settings
Under System Failure
Uncheck "Automatically Restart"
OK and Apply it
This may help you figure out what's causing the Restarts if you see an error message
Instead of the computer restarting

Next:
Go to START>>RUN
Type in
cmd
At the prompt type in

cd\WINDOWS\Downloaded Program Files (hit Enter on your keyboard)>then type
del bridge.inf (hit Enter), notice the single space between del and bridge
exit

You should clear your System Restore points
disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Aaron07 · « **Reply #13 on:** March 21, 2005, 08:26:54 PM »

also, my computer will not let me play any games for longer than 10 minutes without rebooting me, freezing or kicking me out of the game. Thios is very annoying and I don't know what to do or if it's connected to a trojan/virus I already have.

TheTechGuide Forum

News:

Author Topic: I Need Help with WebSiteViewer (Read 802 times)

Aaron07

I Need Help with WebSiteViewer

guestolo

I Need Help with WebSiteViewer

Aaron07

I Need Help with WebSiteViewer

Aaron07

I Need Help with WebSiteViewer

guestolo

I Need Help with WebSiteViewer

Aaron07

I Need Help with WebSiteViewer

guestolo

I Need Help with WebSiteViewer

Aaron07

I Need Help with WebSiteViewer

guestolo

I Need Help with WebSiteViewer

Aaron07

I Need Help with WebSiteViewer

guestolo

I Need Help with WebSiteViewer

Aaron07

I Need Help with WebSiteViewer

guestolo

I Need Help with WebSiteViewer

Aaron07

I Need Help with WebSiteViewer