Member Avatar for c21werner

Re: Pop-up "Windows Security Center"

--------------------------------------------------------------------------Have been getting a Windows Pop Up With Windows Security Center on the title area. Since then have been having troubles with IE v.6
I have updated Ad-aware, Spybot, HiJack This, AVG, Norton AntiVirus and Spyware Blaster and ran scans on all, all find something and remove something but none of them remove the problem. I have also removed all temp files from Safe Mode.
What happens is that I will try to go into Internet Explorer, my page will be set to about:blank, so I go into Tools, Options and change the main page to Google. I then logout, go back in and my page will be back to about blank. If I change the page from the properties portion from the desktop, I can get to google for the first time, but ALWAYS get a pop up of some sort for Spyware/Adware removal. This time it was for NoAdware.net. Also, when I type in the Address Bar to go to www.yahoo.com I get res://vftpf.dll/http_404.htm
Please help!

Logfile of HijackThis v1.99.1
Scan saved at 1:45:23 PM, on 6/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\iprj32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\atlhm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vftpf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vftpf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vftpf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vftpf.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vftpf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vftpf.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vftpf.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Class - {16BD821E-5751-423E-4850-6CC5D07FECD8} - C:\WINDOWS\winds32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\SynTPEnh.exe
O4 - HKLM\..\Run: [iprj32.exe] C:\WINDOWS\system32\iprj32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3498C972-FC11-11D2-A05D-00A0C90DC755} (FarPoint TabPro) - https://crestedg.century21.com/cgi-bin/Tab32x30.ocx
O16 - DPF: {961064F8-5135-11D5-A69D-00C04FAC63A2} (EDGReportControl.UserControl1) - https://crestedg.century21.com/cgi-bin/EDGReportControl.cab
O16 - DPF: {B02F3641-766B-11CE-AF28-C3A2FBE76A13} (FarPoint Spreadsheet Control) - https://crestedg.century21.com/cgi-bin/ss32x25.ocx
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {ECDEDB7F-BFD2-4010-9502-D300C3DDCD54} (SystemChecker.CheckerCtrl) - http://scwmls.fnismls.com/Paragon/Codebase/SystemChecker.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlhm.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

  • 3 Contributors
  • 4 Replies
  • 265 Views
  • 1 Year Discussion Span
  • Latest Post Latest Post by amp

Recommended Answers

All 4 Replies

Member Avatar for dlh6213

Hi c21werner, welcome to DaniWeb :D

Start with this --

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Update your anitvirus program and run a full system scan.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Download, install, update, and run these tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Download Ewido Security Suite -- http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1
Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.
From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/
Note -- When you run Ewido for the first time, you will get the warning Database could not be found!, click OK when you do.

Reboot into Safe Mode (reboot your computer and tap the F8 key while it's starting back up).

Run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Empty your Recycle Bin and reboot normally.

Close any open browser windows, scan with hijackthis, and post a new log along with the Ewido log.

Member Avatar for c21werner

Well I wish I had good news, it looked like it was finding and removing a lot, but I am still having the same issues :cry:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------


+ Created on:           1:36:10 AM, 6/16/2005
+ Report-Checksum:      BCECAD40


+ Scan result:


HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch
C:\WINDOWS\adtct.txt:szxzqm -> Spyware.SearchPage
C:\WINDOWS\Bti.ini:qqcdkm -> TrojanDownloader.Agent.bq
C:\WINDOWS\bundles\bs5-vwqouc.exe -> Spyware.BookedSpace.c
C:\WINDOWS\CEEHFGMK.ini:shmzqf -> TrojanDownloader.Agent.bq
C:\WINDOWS\DESKTOP.INI:vwekyo -> Trojan.Agent.bi
C:\WINDOWS\Majvkgc.zip:skvdjj -> Spyware.SearchPage
C:\WINDOWS\Majvkgc.zip:urbeno -> Trojan.Agent.bi
C:\WINDOWS\netwn32.dll -> TrojanDownloader.Agent.bc
C:\WINDOWS\OEWABLog.txt:iqebw -> TrojanDownloader.Agent.bq
C:\WINDOWS\OEWABLog.txt:xlmhkh -> TrojanDownloader.Agent.bq
C:\WINDOWS\orun32.ini:envmca -> Trojan.Agent.bi
C:\WINDOWS\qkgnl.txt:answlb -> Trojan.Agent.bi
C:\WINDOWS\qwogb.txt:tokjnl -> TrojanDownloader.Agent.bq
C:\WINDOWS\ricdb.ini:gbuqpt -> Trojan.Agent.bi
C:\WINDOWS\SETPWRCG.EXE_:astedf -> Trojan.Agent.bi
C:\WINDOWS\sndp202.src:zassha -> TrojanDownloader.Agent.bq
C:\WINDOWS\SYSTEM32\addxm32.dll -> TrojanDownloader.Agent.bc
C:\WINDOWS\SYSTEM32\appxh.dll -> TrojanDownloader.Agent.bc
C:\WINDOWS\SYSTEM32\gojkm.dll -> Spyware.SearchPage
C:\WINDOWS\ubfnl.txt:sabzne -> TrojanDownloader.Agent.ap
C:\WINDOWS\VB.INI:wwraxl -> Trojan.Agent.bi
C:\WINDOWS\vtour.ini:cdknd -> TrojanDownloader.Agent.ap
C:\WINDOWS\Wbmanage.hlp:jcmjcs -> Trojan.Agent.bi
C:\WINDOWS\wininit.ini_:wfdqqi -> Trojan.Agent.bi
C:\WINDOWS\_DEFAULT.PIF:fkxzhw -> TrojanDownloader.Agent.ap
C:\WINDOWS\_DEFAULT.PIF:gahoak -> Spyware.SearchPage
C:\WINDOWS\_DEFAULT.PIF:heiwqr -> Trojan.Agent.bi
C:\WINDOWS\_DEFAULT.PIF:kltjhs -> TrojanDownloader.Agent.ap
C:\WINDOWS\_DEFAULT.PIF:rzrani -> Spyware.SearchPage
C:\WINDOWS\_DEFAULT.PIF:xcmssp -> Trojan.Agent.bi
C:\Documents and Settings\c ant\Cookies\c [email]ant@ads.pointroll[1].txt[/email] -> Spyware.Cookie.Pointroll
C:\Documents and Settings\c ant\Cookies\c [email]ant@adtech[2].txt[/email] -> Spyware.Cookie.Adtech
C:\Documents and Settings\c ant\Cookies\c [email]ant@atdmt[2].txt[/email] -> Spyware.Cookie.Atdmt
C:\Documents and Settings\c ant\Cookies\c [email]ant@mediaplex[1].txt[/email] -> Spyware.Cookie.Mediaplex
C:\Documents and Settings\c ant\Cookies\c [email]ant@rotator.adjuggler[1].txt[/email] -> Spyware.Cookie.Adjuggler
C:\Documents and Settings\c ant\Cookies\c [email]ant@servedby.netshelter[1].txt[/email] -> Spyware.Cookie.Netshelter
C:\Documents and Settings\c ant\Cookies\c [email]ant@statse.webtrendslive[1].txt[/email] -> Spyware.Cookie.Webtrendslive
C:\Documents and Settings\c ant\Cookies\c [email]ant@tribalfusion[1].txt[/email] -> Spyware.Cookie.Tribalfusion
C:\Documents and Settings\c ant\Cookies\c [email]ant@wdcs.trendmicro[1].txt[/email] -> Spyware.Cookie.Trendmicro
C:\Documents and Settings\c ant\Cookies\c [email]ant@www.smarttargetting[1].txt[/email] -> Spyware.Cookie.Smarttargetting



::Report End


Logfile of HijackThis v1.99.1
Scan saved at 1:40:03 AM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\crov32.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\c ant\Desktop\Virus.Adware Tools\HijackThis.exe
C:\Documents and Settings\c ant\Desktop\Virus.Adware Tools\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {16BD821E-5751-423E-4850-6CC5D07FECD8} - C:\WINDOWS\winds32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\SynTPEnh.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [crov32.exe] C:\WINDOWS\system32\crov32.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://C:\PROGRA~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {3498C972-FC11-11D2-A05D-00A0C90DC755} (FarPoint TabPro) - https://crestedg.century21.com/cgi-bin/Tab32x30.ocx
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {961064F8-5135-11D5-A69D-00C04FAC63A2} (EDGReportControl.UserControl1) - https://crestedg.century21.com/cgi-bin/EDGReportControl.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {B02F3641-766B-11CE-AF28-C3A2FBE76A13} (FarPoint Spreadsheet Control) - https://crestedg.century21.com/cgi-bin/ss32x25.ocx
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {ECDEDB7F-BFD2-4010-9502-D300C3DDCD54} (SystemChecker.CheckerCtrl) - http://scwmls.fnismls.com/Paragon/Codebase/SystemChecker.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4514/mcfscan.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Edited by Nick Evan because: Fixed formatting
Member Avatar for dlh6213

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).


Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {16BD821E-5751-423E-4850-6CC5D07FECD8} - C:\WINDOWS\winds32.dll
O4 - HKLM\..\Run: [crov32.exe] C:\WINDOWS\system32\crov32.exe

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\winds32.dll
C:\WINDOWS\system32\jsass.dll
C:\WINDOWS\system32\crov32.exe

Note: If any cannot be deleted, try booting into Safe Mode first.

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post a new log please.

Member Avatar for amp

Don't know if this will work for u.

I got this spyware today too and I tried all the stuff that is explained above but didn't work. In the end, I checked my add/remove programs and found something weird : Internet Explorer Security Update 2006 or something like that. After I removed it, there was no more Security Centre bar in my internet explorer. I checked the add/remove programs again and removed some "security update" thingy just below the one I described above. That ended one of the annoyances too which I forgot. The last one is "Windows power messenger ver 2.23" or something like that. That ended all my trouble.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.