Please check this log.

blessa · #1 05-09-05, 14:34

I hope someone wanna take a look at this log. What I know, is that I have searcweb2 and ads1revenue (or what it's called..).

A friend of me thinks I have a trojan horse on my computer... I hope not! [img]/forums/images/graemlins/shocked.gif[/img]

Logfile of HijackThis v1.99.1
Scan saved at 15:28:35, on 05.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Digital Media Reader\shwiconem.exe
C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ. exe
C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Internet Explorer\iexplore.exe
c:\progra~2\intern~1\iexplore.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\Config2500.exe
C:\Programfiler\Wireless LAN Utility\SiWake.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Programfiler\MSN Messenger\msnmsgr.exe
C:\Programfiler\Wireless LAN Utility\SiSCFG.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.esnwrkjicdqrmxrccsoxneqwu.inf...A9Bez5PcPdc.as p
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://blessa.proboards29.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {592275AD-16A8-CB70-2397-87B7A0205E60} - C:\DOCUME~1\ANDREA~1\PROGRA~1\DaleLog\once grim.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Programfiler\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ. exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Gnetmous] C:\Programfiler\KYE\Genius Wireless Optical Mouse\gnetmous.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~2\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~2\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Msn Configuration Loader] msngms.exe
O4 - HKLM\..\Run: [BITS DUPE PING BOWS] C:\Documents and Settings\All Users\Programdata\cdrom software bits dupe\oncechic.exe
O4 - HKLM\..\RunServices: [Msn Configuration Loader] msngms.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Jump Mix] C:\DOCUME~1\ANDREA~1\PROGRA~1\OBJLIC~1\Window mfcd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Msn Configuration Loader] msngms.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Config2500.lnk = C:\WINDOWS\system32\Config2500.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SiWake.lnk = C:\Programfiler\Wireless LAN Utility\SiWake.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.d ll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.d ll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~2\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

John_McKenna · #2 05-09-05, 22:53

Hi blessa and welcome to Webuser.

You have two problems here. The Kelvir worm which probably arrived via MSN Messenger and a Lop adware/hijacker which is commonly bundled with a program called Messenger Plus (which I'm presuming you've since removed).

We'll deal with the Kelvir worm first.

Download the KELVIR REMOVAL TOOL.

Close all the running programs and disconnect the computer from the internet.<ul type="square">[*]Double-click the FxKelvir.exe file to start the removal tool.[*]Click Start to begin the process, and then allow the tool to run.[*]Restart the computer.[*]Run the removal tool again to ensure that the system is clean.[*]Reboot and post a fresh HJT log in this thread please.[/list]
** Please also confirm whether you've uninstalled Messenger Plus recently and also how many user accounts this machine has please.

** I'd also like you run the below file through Jotti's Malware Scan. Just paste the entire filepath into the Submit box at the top and paste the results back here please. [img]/forums/images/graemlins/smile.gif[/img]

C:\WINDOWS\system32\Config2500.exe

blessa · #3 07-09-05, 14:11

The Kelvir worm was removed successfully [img]/forums/images/graemlins/smile.gif[/img]

** I uninstalled messenger plus for a long time ago. I have just 1 user account on this computer.

This is the result of HJT:

Logfile of HijackThis v1.99.1
Scan saved at 15:04:00, on 07.09.2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTSvcCDA.EXE
C:\Programfiler\Fellesfiler\Microsoft Shared\VS7Debug\mdm.exe
C:\Programfiler\Norton AntiVirus\navapsvc.exe
C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
C:\Programfiler\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\zHotkey.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Programfiler\Digital Media Reader\shwiconem.exe
C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ. exe
C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Messenger\msmsgs.exe
C:\Programfiler\Skype\Phone\Skype.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\system32\Config2500.exe
C:\Programfiler\Wireless LAN Utility\SiWake.exe
C:\Programfiler\Internet Explorer\iexplore.exe
c:\progra~2\intern~1\iexplore.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.esnwrkjicdqrmxrccsoxneqwu.inf...A9Bez5PcPdc.as p
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {592275AD-16A8-CB70-2397-87B7A0205E60} - C:\DOCUME~1\ANDREA~1\PROGRA~1\DaleLog\once grim.exe
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programfiler\MSN Apps\MSN Toolbar\01.02.4000.1001\no\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programfiler\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [ShowWnd] ShowWnd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Programfiler\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programfiler\filer\CyberLink\PowerDVD\PDVDServ. exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Programfiler\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Gnetmous] C:\Programfiler\KYE\Genius Wireless Optical Mouse\gnetmous.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~2\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programfiler\Fellesfiler\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~2\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BITS DUPE PING BOWS] C:\Documents and Settings\All Users\Programdata\cdrom software bits dupe\oncechic.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Jump Mix] C:\DOCUME~1\ANDREA~1\PROGRA~1\OBJLIC~1\Window mfcd.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Programfiler\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Config2500.lnk = C:\WINDOWS\system32\Config2500.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SiWake.lnk = C:\Programfiler\Wireless LAN Utility\SiWake.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.d ll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.5.0_02\bin\npjpi150_02.d ll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programfiler\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E2D6932-3885-4FA2-8DD4-DB63FFE33797} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.co...p/PhtPkCnv.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab
O16 - DPF: {EDAF796E-9210-4417-ADDC-2AB18E4F6C27} (Hjemmeside.KvikFoto) - http://www.123hjemmeside.dk/builder/pages/KvikFoto.CAB
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSvcCDA.EXE
O23 - Service: Norton AntiVirus Auto-Protect-tjeneste (navapsvc) - Symantec Corporation - C:\Programfiler\Norton AntiVirus\navapsvc.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Programfiler\Fellesfiler\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Programfiler\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~2\FELLES~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programfiler\Fellesfiler\Symantec Shared\Security Center\SymWSC.exe

This is the result of Jottis Malware Scan:

File: Config2500.exe
Status: OK
MD5 7f07f863ed9e881fc7fb1ddae9aa907a
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

blessa · #4 07-09-05, 14:14

I just looked through the HJT log and saw something with "azesearch". It's quite annoying. I want it removed! I have never installed it, it came on its own.

And by the way: What is Bigfix?

John_McKenna · #5 07-09-05, 18:56

BigFix can automatically download and read technical support information provided by computer and software manufacturers and other technical support experts (published in the form of Fixlet® Messages) and can automatically check your computer for bugs, configuration conflicts, and security holes. Should only be started manually as it's a resource hog.

Step 1

Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.

Download & install Cleanup! from here.

Download the Lop uninstaller from here to your desktop.
(if your anti-virus detects trojan swizzor, please ignore it and download regardless, it is not harmful!)

Copy the below steps to notepad, close Internet Explorer and disconnect from the internet.

Step 2

Run HJT again and checkmark the boxes next to the following:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.esnwrkjicdqrmxrccsoxneqwu...9Bez5PcPdc.asp
O2 - BHO: AzEntretien Class - {0d2def3a-f4f1-42ec-ac4f-132e7ba6e292} - %SystemRoot%\azentretien.dll (file missing)
O2 - BHO: (no name) - {592275AD-16A8-CB70-2397-87B7A0205E60} - C:\DOCUME~1\ANDREA~1\PROGRA~1\DaleLog\once grim.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~2\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [BITS DUPE PING BOWS] C:\Documents and Settings\All Users\Programdata\cdrom software bits dupe\oncechic.exe
O4 - HKCU\..\Run: [Jump Mix] C:\DOCUME~1\ANDREA~1\PROGRA~1\OBJLIC~1\Window mfcd.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} - http://www.azebar.com/install/azesearch.cab

Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked

Step 3

Start CleanUp! and do the following:

Click the Options button.
Make sure only the following are checked:
<ul type="square">[*] Empty Recycle Bins[*] Delete Cookies[*] Delete Prefetch files (XP only)[*] Scan local drives for temporary files[*] Cleanup! All Users[/list]Click the Ok button to close the Options dialog.
Click the CleanUp! button to begin cleaning. It may take a while depending on the size of the hard drive so be patient.
When it has finished, close CleanUp! but decline to logoff when prompted.

Warning: Cleanup removves EVERYTHING in your temp/temporary folders. If you have any programs or saved work in them, please save it to another location before running Cleanup.

Step 4

Please now reboot into Safe Mode and delete the following folders in bold:

C:\Documents and Settings\ANDREA~1\PROGRA~1\OBJLIC~1\Window mfcd.exe
C:\Documents and Settings\ANDREA~1\PROGRA~1\DaleLog\once grim.exe
C:\PROGRAM FILES\DESKMATE\DeskMateAutoUpdate.exe
C:\Documents and Settings\All Users\Programdata\cdrom software bits dupe\oncechic.exe

Then run the Lop uninstaller.

Step 5

Reboot and run any of the following online virus scans (saving the scan report when complete):

Kasperskey Online
Panda ActiveScan
Trend Micro (Europe)

Step 6

Then post a fresh HJT log after rebooting along with the online scan results.

.

blessa · #6 08-09-05, 20:01

I think I've got some problems here.. [img]/forums/images/graemlins/crazy.gif[/img]

I did step 1-3 and began on step 4. I started the computer in Safe Mode. And then the problem started. My computer wouldn't let me delete this file:
C:\PROGRAM FILES\DESKMATE\DeskMateAutoUpdate.exe

Still in Safe Mode I needed to run the Lop uninstaller, but I couln't see the numbers... What should I do now? I can see the numbers in Normal Mode. But i haven't run the Lop uninstaller yet, 'cause I wanted to know if it was so important to delete this file above? Or should i just keep on doing the steps?

After I deleted the files I could delete, I sam that some of the icons on the desktop(?) has disappeared [img]/forums/images/graemlins/smile.gif[/img] It was the icons who was annoying me. Icons like "Free mobile ringtones", "Play poker online" etc. The annoying toolbar has also disappeared [img]/forums/images/graemlins/grin.gif[/img]

John_McKenna · #7 08-09-05, 22:32

Run the Lop uninstaller in normal mode please.

Reboot and post a fresh log.

Please also post a HijackThis Uninstall list.

To do this:

Open HijackThis
Click 'Config' (bottom right)
Click 'Misc Tools'
Click 'Open Unistall Manager'
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply. [img]/forums/images/graemlins/smile.gif[/img]

blessa · #8 10-09-05, 11:31

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, September 10, 2005 11:59:16
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/09/2005
Kaspersky Anti-Virus database records: 139658
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\ANDREA~1\LOKALE~1\Temp\

Scan Statistics:
Total number of scanned objects: 17309
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 38603 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

802.11b USB Wireless LAN Adapter
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Reader 6.0.1 - Norsk
BearShare
BigFix
BitLord 1.1
CC_ccStart
ccCommon
CleanUp!
Creative MediaSource
Creative WebCam Center
Creative WebCam Instant Driver (1.00.08.0416)
Creative WebCam Instant User's Guide (English)
Digital Media Reader
Eye Candy 4000
Genius Wireless Optical Mouse
HijackThis 1.99.1
ImageMixer VCD2
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 2
Jasc Paint Shop Pro 8
Java 2 Runtime Environment, SE v1.4.2_05
Kaspersky On-line Scanner
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Macromedia Flash Player
Macromedia Shockwave Player
Media Library Management Wizard
Microsoft .NET Framework 1.1
Microsoft FrontPage 2002
Microsoft Office 2003 Web Components
Microsoft Office Professional Edition 2003
Microsoft Office XP Web Components
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
MSN Messenger 7.5
MSN-verktøylinjen
MSRedist
Multimedia Keyboard Driver
Nero BurnRights
Nero OEM
NOMAD MuVo TX
Norton AntiVirus 2004
Norton AntiVirus 2004 (Symantec Corporation)
Norton AntiVirus Parent MSI
Norton WMI Update
Oppdatering for Windows XP (KB894391)
Oppdatering for Windows XP (KB896727)
Oppdatering for Windows XP (KB898461)
Personal License Update Wizard for Windows Media Player
Plus! MP3 Audio Converter LE
PowerDVD
Sikkerhetsoppdatering for Windows XP (KB883939)
Sikkerhetsoppdatering for Windows XP (KB890046)
Sikkerhetsoppdatering for Windows XP (KB893756)
Sikkerhetsoppdatering for Windows XP (KB896358)
Sikkerhetsoppdatering for Windows XP (KB896422)
Sikkerhetsoppdatering for Windows XP (KB896423)
Sikkerhetsoppdatering for Windows XP (KB896428)
Sikkerhetsoppdatering for Windows XP (KB899587)
Sikkerhetsoppdatering for Windows XP (KB899588)
Sikkerhetsoppdatering for Windows XP (KB899591)
Sikkerhetsoppdatering for Windows XP (KB901214)
Sikkerhetsoppdatering for Windows XP (KB903235)
Skype 1.3
Sony USB Driver
Spybot - Search & Destroy 1.4
Symantec Script Blocking Installer
SymNet
ToolbarCounter
Webshots Desktop
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Bonus Pack for Windows XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP hurtigreparasjon - KB867282
Windows XP hurtigreparasjon - KB873333
Windows XP hurtigreparasjon - KB873339
Windows XP hurtigreparasjon - KB885250
Windows XP hurtigreparasjon - KB885835
Windows XP hurtigreparasjon - KB885836
Windows XP hurtigreparasjon - KB885884
Windows XP hurtigreparasjon - KB886185
Windows XP hurtigreparasjon - KB887472
Windows XP hurtigreparasjon - KB887742
Windows XP hurtigreparasjon - KB888113
Windows XP hurtigreparasjon - KB888302
Windows XP hurtigreparasjon - KB890047
Windows XP hurtigreparasjon - KB890175
Windows XP hurtigreparasjon - KB890859
Windows XP hurtigreparasjon - KB890923
Windows XP hurtigreparasjon - KB891781
Windows XP hurtigreparasjon - KB893066
Windows XP hurtigreparasjon - KB893086
Wireless LAN Card
Wireless LAN Utility

John_McKenna · #9 10-09-05, 12:37

I recommend you uninstall Bearshare if it's the free version as it contains spyware.

See HERE for clean alternatives.

Can you post a new HJT log please?

blessa · #10 11-09-05, 14:56

Which downloading-program should I usev then? I've always used BearShare. And I need a downloading-program. I want a free one.

I also have BitLord. But I need some help to understand it. This isn't the right forum to ask about that kind of help, i guess.

Webuser.co.uk

Web User Alerts

Web User Network

Site Policies

Magazine Subscription

Contacts

Search