Seems like I have everything! But no detection. Please help confirm and remove?

wishinstonez · 11-22-2007, 07:37 AM

When I was using Norton Internet Security earlier today I noticed that when I ran a full system scan, in the area that tells you what is currently being scanned I saw a LOT of:
Adware. ___
Trojan. ___
Backdoor. ___
Spyware. ___
Trackware. ___
w32. ___
and so on...
___ = the name/words after the dot.

But Norton just scans it, it doesn't pick it up as a risk. So I can't quarantine or remove any of it. I've tried CA eTrust, AVG, Spybot and Adaware...none of them have picked up anything except cookies. I've tried scanning in safe-mode as well.

As far as I can see I haven't got any of the symptons (that I know of anyway). My homepage is still the same, I don't get random pop-ups or see advertisements on my browser. Though sometimes my mouse ends up on the other side of the screen or has a right-click window without me doing anything...is that something to worry about? And sometimes my internet is slow when loading a page (but not when streaming something).

So, are these really infecting my computer?
If so...
Why hasn't any of the programs detected anything?
And what can I do to get rid of them?

If a Hijack log would be useful...I can supply one.

Any help would be appreciated

yosa · 11-22-2007, 10:59 AM

Its important to know that norton and other virus programs can get false readings, the mouse thing is legitimate, I beleive it may be a hardware issue,(or resident virus within an existing memory component; I doubt it) different than the norton problem you describe.(a lot of programs use scare tactics, I wouldn't put it past symamantic as well); I cannot answer either of your questions without the specifics, tell us what your scans identified, the more information the better.

wishinstonez · 11-22-2007, 08:54 PM

I hope it's just a scare tactic..though that is really low of them.
These are the things I keep seeing. There are quite a few I missed because they don't all show up the same every scan. I tried to categorise them:
W32.Mytob.C@mm
W32.Sality.U
w32.Erkez.B@mm
W32.HLLW.Gaobot
W32.Rahack.W
W32.Stration.D@mm
W32.Netsky@mm
W32.Randex
Backdoor.Rustock.B
Backdoor.Jeem
Backdoor.Haxdoor.L
Backdoor.Graybird.G
Backdoor.SubSeven.215
Backdoor.Sincom
Backdoor.Litmus
Trojan.Flush.K
Trojan.Perfcoo
Trojan.Zlob
Adware.AdRoar
Adware.Expand
Adware.iPend
Adware.ZenoSearch
Adware.SearchCentrix
Adware.IEHost
Adware.BrowserAid
Adware.Fastfind.B
Adware.LittleHelper
Adware.HungryHands
Adware.BlazeFind
Adware.LoveFreeGames
Spyware.SpyKy
Spyware.ISpyNow
Spyware.ISnake
Spyware.WALogger
Spyware.GiveMeMore
Spyware.Intelliflag
Trackware.WebGuardian
Infostealer.Sagic
Dialer.Kotu
Dialer.Ulubione
Dialer.Uyelik
Spybouncer
AlfaCleaner
SaferScan
AntiSpyZone
PCHealthPlan
MyCleanerPC
SpyShield
CryptDrive
AntiVermins
IrcFast
SpyDawn
VirusRay
MalWarrior
PCCleaner
RegistryCleanFix
CrisysTecSentry
MyBugFreePC
Movieland

Also they are scanned one after the other, there're no "safe" files in between these.
The Symantec website in the Virus dictionary, when I look at some of these they all say the full-system scan picks them up (unless they're in the "Add/Remove Programs")
I looked up a few of them. I can't find them in the "Add/Remove Programs" if they're meant to be there, I can't find them in the registry files if they were meant to create files, I don't get any of the visible effects of error/virus warnings and pop-ups or anything.

Are they just scare tactics? If so..why so many?
Or does me using Vista Ultimate have something to do with it? (threats not vista-compatible? or they don't show in Vista?

)
Or do I have one of those programs that hides risks and threats so they're not detectable?

Osiris · 11-23-2007, 08:59 AM

post a log

wishinstonez · 11-24-2007, 03:08 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:08 PM, on 24/11/2007
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16546)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\User\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = BigPond Broadband - Wireless, ADSL, Cable and dialup internet access
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [WinSys2] C:\Windows\system32\startup.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 7391 bytes

Osiris · 11-25-2007, 11:00 AM

remove this entry

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

then make sure system restore is off, run ccleaner and cleanup. Then scan with norton again

wishinstonez · 11-26-2007, 04:05 AM

Thanks!

It's still doing the same thing in the scan though...

Osiris · 11-26-2007, 07:18 AM

does is show the path?

wishinstonez · 11-26-2007, 07:13 PM

No, no paths. It just shows the name of it. Like "W32.Sality.U" or "SpyDawn".

I really appreciated you helping

Osiris · 11-26-2007, 07:33 PM

download this http://www.bleepingcomputer.com/resources/link243.html and run it then follow below

make sure spydawn is not listed under add/remove programs

Automated Removal Instructions for SpyDawn:

Print out these instructions as we will need to close every window that is open later in the fix.
Download SmitfraudFix.exe from here and save it to your desktop:

SmitFraudFix.exeConfirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below:

http://img.bleepingcomputer.com/swr-...x/sff-icon.gif
Next, please reboot your computer into Safe Mode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.
When your computer has started in safe mode, and you see the desktop, close all open Windows.
Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below:

http://img.bleepingcomputer.com/swr-...x/sff-icon.gif
When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen.
You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

http://img.bleepingcomputer.com/swr-...udfix/menu.jpg
The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below.

http://img.bleepingcomputer.com/swr-...smitrem/dc.jpg

This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 11.
When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key.
When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot.
Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen.

Your computer should now be free of the SpyDawn infection.

11-22-2007, 07:37 AM	#1 (permalink)
wishinstonez Newb Techie Join Date: Oct 2007 Posts: 28	Seems like I have everything! But no detection. Please help confirm and remove? When I was using Norton Internet Security earlier today I noticed that when I ran a full system scan, in the area that tells you what is currently being scanned I saw a LOT of: Adware. ___ Trojan. ___ Backdoor. ___ Spyware. ___ Trackware. ___ w32. ___ and so on... ___ = the name/words after the dot. But Norton just scans it, it doesn't pick it up as a risk. So I can't quarantine or remove any of it. I've tried CA eTrust, AVG, Spybot and Adaware...none of them have picked up anything except cookies. I've tried scanning in safe-mode as well. As far as I can see I haven't got any of the symptons (that I know of anyway). My homepage is still the same, I don't get random pop-ups or see advertisements on my browser. Though sometimes my mouse ends up on the other side of the screen or has a right-click window without me doing anything...is that something to worry about? And sometimes my internet is slow when loading a page (but not when streaming something). So, are these really infecting my computer? If so... Why hasn't any of the programs detected anything? And what can I do to get rid of them? If a Hijack log would be useful...I can supply one. Any help would be appreciated

11-22-2007, 10:59 AM	#2 (permalink)
yosa Super Techie Join Date: Apr 2005 Location: Peterborough, Ont. Posts: 322	Re: Seems like I have everything! But no detection. Please help confirm and remove? Its important to know that norton and other virus programs can get false readings, the mouse thing is legitimate, I beleive it may be a hardware issue,(or resident virus within an existing memory component; I doubt it) different than the norton problem you describe.(a lot of programs use scare tactics, I wouldn't put it past symamantic as well); I cannot answer either of your questions without the specifics, tell us what your scans identified, the more information the better.

11-22-2007, 08:54 PM	#3 (permalink)
wishinstonez Newb Techie Join Date: Oct 2007 Posts: 28	Re: Seems like I have everything! But no detection. Please help confirm and remove? I hope it's just a scare tactic..though that is really low of them. These are the things I keep seeing. There are quite a few I missed because they don't all show up the same every scan. I tried to categorise them: W32.Mytob.C@mm W32.Sality.U w32.Erkez.B@mm W32.HLLW.Gaobot W32.Rahack.W W32.Stration.D@mm W32.Netsky@mm W32.Randex Backdoor.Rustock.B Backdoor.Jeem Backdoor.Haxdoor.L Backdoor.Graybird.G Backdoor.SubSeven.215 Backdoor.Sincom Backdoor.Litmus Trojan.Flush.K Trojan.Perfcoo Trojan.Zlob Adware.AdRoar Adware.Expand Adware.iPend Adware.ZenoSearch Adware.SearchCentrix Adware.IEHost Adware.BrowserAid Adware.Fastfind.B Adware.LittleHelper Adware.HungryHands Adware.BlazeFind Adware.LoveFreeGames Spyware.SpyKy Spyware.ISpyNow Spyware.ISnake Spyware.WALogger Spyware.GiveMeMore Spyware.Intelliflag Trackware.WebGuardian Infostealer.Sagic Dialer.Kotu Dialer.Ulubione Dialer.Uyelik Spybouncer AlfaCleaner SaferScan AntiSpyZone PCHealthPlan MyCleanerPC SpyShield CryptDrive AntiVermins IrcFast SpyDawn VirusRay MalWarrior PCCleaner RegistryCleanFix CrisysTecSentry MyBugFreePC Movieland Also they are scanned one after the other, there're no "safe" files in between these. The Symantec website in the Virus dictionary, when I look at some of these they all say the full-system scan picks them up (unless they're in the "Add/Remove Programs") I looked up a few of them. I can't find them in the "Add/Remove Programs" if they're meant to be there, I can't find them in the registry files if they were meant to create files, I don't get any of the visible effects of error/virus warnings and pop-ups or anything. Are they just scare tactics? If so..why so many? Or does me using Vista Ultimate have something to do with it? (threats not vista-compatible? or they don't show in Vista? ) Or do I have one of those programs that hides risks and threats so they're not detectable?

11-23-2007, 08:59 AM	#4 (permalink)
Osiris Security/Hacking Mod Join Date: Jan 2005 Location: USA Posts: 23,859	Re: Seems like I have everything! But no detection. Please help confirm and remove? post a log __________________

11-24-2007, 03:08 AM	#5 (permalink)
wishinstonez Newb Techie Join Date: Oct 2007 Posts: 28	Re: Seems like I have everything! But no detection. Please help confirm and remove? Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 6:06:08 PM, on 24/11/2007 Platform: Windows Vista (WinNT 6.00.1904) MSIE: Internet Explorer v7.00 (7.00.6000.16546) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe C:\Windows\System32\mobsync.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\User\Desktop\HiJackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = BigPond Broadband - Wireless, ADSL, Cable and dialup internet access R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe O4 - HKLM\..\Run: [WinSys2] C:\Windows\system32\startup.exe O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL O13 - Gopher Prefix: O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe -- End of file - 7391 bytes

11-25-2007, 11:00 AM	#6 (permalink)
Osiris Security/Hacking Mod Join Date: Jan 2005 Location: USA Posts: 23,859	Re: Seems like I have everything! But no detection. Please help confirm and remove? remove this entry O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) then make sure system restore is off, run ccleaner and cleanup. Then scan with norton again __________________

11-26-2007, 04:05 AM	#7 (permalink)
wishinstonez Newb Techie Join Date: Oct 2007 Posts: 28	Re: Seems like I have everything! But no detection. Please help confirm and remove? Thanks! It's still doing the same thing in the scan though...

11-26-2007, 07:18 AM	#8 (permalink)
Osiris Security/Hacking Mod Join Date: Jan 2005 Location: USA Posts: 23,859	Re: Seems like I have everything! But no detection. Please help confirm and remove? does is show the path? __________________

11-26-2007, 07:13 PM	#9 (permalink)
wishinstonez Newb Techie Join Date: Oct 2007 Posts: 28	Re: Seems like I have everything! But no detection. Please help confirm and remove? No, no paths. It just shows the name of it. Like "W32.Sality.U" or "SpyDawn". I really appreciated you helping

11-26-2007, 07:33 PM	#10 (permalink)
Osiris Security/Hacking Mod Join Date: Jan 2005 Location: USA Posts: 23,859	Re: Seems like I have everything! But no detection. Please help confirm and remove? download this http://www.bleepingcomputer.com/resources/link243.html and run it then follow below make sure spydawn is not listed under add/remove programs Automated Removal Instructions for SpyDawn: Print out these instructions as we will need to close every window that is open later in the fix. Download SmitfraudFix.exe from here and save it to your desktop: SmitFraudFix.exeConfirm that the file SmitfraudFix.exe now resides on your desktop, but do not double-click on the icon as of yet. We will use it in later steps. The icon will look like the one below: http://img.bleepingcomputer.com/swr-...x/sff-icon.gif Next, please reboot your computer into Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. When you are at the logon prompt, log in as the same user that you had performed the previous steps as. When your computer has started in safe mode, and you see the desktop, close all open Windows. Now, double-click on the SmitFraudfix icon that should be residing on your desktop.The icon will look like the one below: http://img.bleepingcomputer.com/swr-...x/sff-icon.gif When the tool first starts you will see a credits screen. Simply press any key on your keyboard to get to the next screen. You will now see a menu as shown in the image below. Press the number 2 on your keyboard and the press the enter key to choose the option *Clean (safe mode recommended).* http://img.bleepingcomputer.com/swr-...udfix/menu.jpg The program will start cleaning your computer and go through a series of cleanup processes. When it is done, it will automatically start the Disk Cleanup program as shown by the image below. http://img.bleepingcomputer.com/swr-...smitrem/dc.jpg This program will remove all Temp, Temporary Internet Files, and other files that may be leftover files from this infection. This process can take up to a few hours depending on your computer, so please be patient. When it is complete, it will close automatically and you will should continue with step 11. When Disk Cleanup is finished, you will be presented with an option asking Do you want to clean the registry ? (y/n). At this screen you should press the Y button on your keyboard and then press the enter key. When this last routine is finished, you will be presented with a red screen stating Computer will reboot now. Close all applications. You should now press the spacebar on your computer. A counter will appear stating that the computer will reboot in 15 seconds. Do not cancel this countdown and allow your computer to reboot. Once the computer has rebooted, you will be presented with a Notepad screen containing a log of all the files removed from your computer. Examine this log, and when you are done, close the Notepad screen. Your computer should now be free of the SpyDawn infection. __________________

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode