Virus and Spyware Problem

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by hairball69, May 10, 2007.

  1. hairball69

    hairball69 Private E-2

    Hello and thanks in advance for any help. :)

    I have gone through the run and read me first guide. The reason I'm here is b/c my computer would freeze after a couple of minutes of being on. After running the scans I feel like I have cleaned eveything up except for 1 virus and 1 spyware. I found them both in bitdefender and panda scan. I will attach the logs.

    Any help is appreciated.
     

    Attached Files:

    hairball69, May 10, 2007
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    You need to attach the other requested logs.
    • CounterSpy - only for Windows XP, 2K, & NT users
    • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
    • runkeys.txt - the log from GetRunKey.bat
    • HijackThis
    Also you log from ShowNew is incomplete. Did you notice any error messages in the command prompt window that comes up while running it?
     
    chaslang, May 10, 2007
    #2
  3. hairball69

    hairball69 Private E-2

    Opps. Sorry about that. I think I fixed the Show new file also.
     

    Attached Files:

    hairball69, May 10, 2007
    #3
  4. hairball69

    hairball69 Private E-2

    And one more.
     

    Attached Files:

    hairball69, May 10, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Your major problem appears to be that your system seems to be trying to run a lot of software that is no longer installed. I would bet that before running the READ & RUN ME you had made the same mistake as thousands of other people and had been using MSconfig to unload various startups. And at some point in time uninstall applications that were at the time disabled with MSconfig. This leads to application never being uninstall properly. Let's start cleaning up all this mess.

    First uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Also uninstall the below software:
    Java 2 Runtime Environment, SE v1.4.2
    Norton WMI Update

    Now let's stop an old service from Symantec Antivirus which is no longer installed.
    • Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    • On the page that opens, scroll down to SymWMI Service
    • then right click the entry, select Properties and press Stop Service.
    • When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
    • Click OK until you get back to Windows.
    • Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
    • At the lower right, click on the Config button
    • Then click the Misc tools button
    • Select Delete an NT Service
    • Copy/pasteSymWSC into the box that opens, and press OK
    • If you receive any error messages just ignore them and continue.
    • Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.
    Question: Do you still have stuff from eBay install and do you use the below?
    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKLM\..\Run: [Reminder] C:\Windows\Creator\Remind_XP.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe
    O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
    O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\McAfee.com\Agent\McAgent.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O15 - Trusted Zone: *.carmls.com
    O15 - Trusted Zone: *.fnismls.com
    O16 - DPF: {0806E114-B920-6E11-3B72-65460DEFA272} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {13007D0D-E581-7C38-411C-694D70C01E10} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {16C0A23D-45C5-7AAD-41FD-1CEF0D41DABD} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {1C48BA0D-5489-48C9-C872-4E061694C02B} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {21462DFB-4471-1EEC-4006-643C353790CD} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {23014E29-2774-5D4A-4EEC-63FF5C586BFB} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {29A43F88-5755-6A31-9480-379049436314} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {2CA407B3-A0FA-6A45-26F7-1C9903C457A2} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {2E3FC67C-3A7E-4819-6B6C-65D67E502D4F} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {32505528-134F-5575-D9DC-016668CB43E4} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {326FF40D-89E4-1650-8C74-0F5A4F6CFD10} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {3470A60D-FD85-6DFF-A67B-6A6860AE088E} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {39F3F287-E112-0A62-E9B6-2AF6690FFBE1} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {40336BCC-02EF-699C-ABAD-2CFB3123B798} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {41B1C062-A1A8-24FE-352D-44760D020384} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {484F3EF2-063A-5D41-E58F-6CF67A88352A} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {52A67298-9A9C-4C4F-BCA4-152F24BCBA08} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {5534AE95-1259-133E-7DBE-76746DDF6AD3} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {55D38B24-69CF-6224-2882-01633F6A30EB} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {59C92172-53A3-61C9-10C4-04842F16A1F8} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {5B08D160-46D2-30E8-43E1-5D9E1114B7D3} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {61AB62C3-3B3E-1EAF-6240-0B2C61B65058} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {61C63F7A-BD89-61EF-3C5D-409960D5636F} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {64E10135-04D0-5802-0E93-1D7C6AA912D2} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {67A5DA02-16E8-3CBD-FA8B-65306B7031EC} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {6980F9B1-3ADA-44D3-85AC-39796C1A63B6} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {6A14260E-740D-70F2-7B78-4DCA4973D903} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {6AB42147-C274-34B0-09B7-74CF278A688F} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {6BF13626-944E-157C-62E2-421222A826EA} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {6C0760C9-BD24-2CE8-8E3C-51DB765E46FD} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {6D1423E3-A46A-406B-35B9-7DCF4D252C98} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {6DDD6AA3-CB71-3310-30E4-6A7256FBC64C} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {6E48D177-D5E0-7E82-0348-38171299A227} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {75FAFD01-0DDE-632D-527B-16DB66AE4002} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {76399B5F-BCD1-1D9C-E2DE-796B7DCA5D20} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {76806E7B-EF5C-19A3-0B23-379175B43A66} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {775AFEFC-0B57-767A-B05B-561C5BBFBB27} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {7AD5B777-38E7-696A-9802-7C930CE0A018} - http://85.255.113.214/1/gdnUS2296.exe
    O16 - DPF: {7F640192-87E4-2518-C5DF-052B53F66F8E} - http://85.255.113.214/1/gdnUS2296.exe
    O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete the below folders if the exist:
    C:\Program Files\Common Files\Symantec Shared
    C:\Program Files\mcafee
    C:\Program Files\Microsoft AntiSpyware
    C:\Program Files\Microsoft Windows OneCare Live
    C:\Program Files\Norton Internet Security
    C:\Program Files\Norton SystemWorks
    C:\Program Files\Webroot
    C:\Program Files\Common Files\Symantec Shared

    You can also delete the below file detected by BitDefender if you don't use WildTangent (and we don't recommend that you use it):
    C:\Program Files\Logitech\Resource Center\installers\wildtangent\blastrb2.exe

    Now run Ccleaner

    Now attach the below new logs and tell me how the above steps went.

    1. ShowNew
    2. HJT


    Make sure you tell me how things are working now!
     
    chaslang, May 11, 2007
    #5
  6. hairball69

    hairball69 Private E-2

    Thanks Chaslang for your help. :wave

    When I deleted the SymWSC it did give me an error. It said I couldn't delete it but I moved forward anyway.

    The eBay toolbar I do use but I keep deleting it when I run A squared. I can delete it if I need too.

    I believe I deleted everything else you said too.

    I think the virus I have is in the Logitech file somewhere.

    Attached are the logs you requested.
     

    Attached Files:

    hairball69, May 11, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you need it, why are you letting A-squared delete it?

    Not really a virus but didn't you read what I posted in message number 5. I'll repeat it here:
    I asked you to uninstall Norton WMI Update. I still see it. Did it not show in Add/Remove programs?

    You should also uninstall LiveUpdate 2.6 (Symantec Corporation) since I don't believe you have anything from Symantec still installed.

    You do not have an antivirus program installed. Why not? Why were there so many left overs from previous antivirus applications having been uninstalled?

    You also do not have a software firewall or a realtime antispyware blocking tool installed.


    Your logs are clean. Are you still having any malware problems?
     
    chaslang, May 11, 2007
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds