0

hi everyone-
about 2 months ago i had a problem with surfsidekick 3 and new dot net and a bunch of ther nastygrams.. i got rid of everything and even went ahead and purchased spysweeper. it seemed great or about 2 weeks and now nearly every day my computer locks up, i reboot it, and EVERY TIME i reboot something pops up. lately it's been girls.exe in my root directory.
i don't know what to do to get rid of everything and prevent this from happening. i dont click on spam or ads, i dont leave my computer running with the internet connected, i use firefox not ie, i dont even use p2p software... i'm so confused.

i did a kaspersky scan and the only two files that come up in c:\winnt are not there when i go to delete them (one is devldrv.exe listen in the HJT log). i went through my control panel and set it to view hidden files and they still don't show up... that's the only lead i have.

anyhow, here's my hijack this log incase anyone sees anything fishy. please give me some advice!
thanks!

Logfile of HijackThis v1.99.1
Scan saved at 2:57:07 AM, on 5/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\devldr32.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\explorer.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,winusmx.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\mdidlpm.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Microsoft Windows Driver Service (Windows Driver Service) - Unknown owner - C:\WINNT\devldr32.exe

3
Contributors
8
Replies
10
Views
11 Years
Discussion Span
Last Post by DMR
0

Hi, please run HJT again, and check off the following items


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINNT\SYSTEM32\Userinit.exe,winusmx.exe

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

O20 - Winlogon Notify: URL - C:\WINNT\system32\mdidlpm.dll (file missing)

O23 - Service: Microsoft Windows Driver Service (Windows Driver Service) - Unknown owner - C:\WINNT\devldr32.exe



**Read here about devldr32.exe. Because you said it seems to be the rpoblem, I tink it may be the virus form of it, though it can be a legit sound card driver.**

Click Fix Checked.

___________________________________________________

We need to remove a NT Service

Do the following:

Start -> Run
*type services.msc
*click OK
The Services Management Console opens - do the following:

  • Click the

Extended tab.
*Scroll down until you find Microsoft Windows Driver Service (Windows Driver Service)
*Click on the service to highlight it.
*Click Stop
*Right-Click on Microsoft Windows Driver Service (Windows Driver Service) .
*Click on 'Properties'
*Select the 'General' tab
*Click the down-arrow on the right-hand side on the 'Start-up Type' box
*From the drop-down menu, select ' Disabled'
*Click the 'Apply' tab
*Click 'OK'
Now:[list=type]Open HJT
*Click on Config>>Misc Tools>>Delete an NT Service
*Type Microsoft Windows Driver Service (Windows Driver Service) in the space provided and click 'OK'.
*The program will ask you to REBOOT --- Accept
*Attach another HijackThis log[/ list]
___________________________________________________

Please download ewido anti-malware it is a free version of the program.

  1. Install ewido anti-malware
  2. When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  3. Launch ewido, there should be an icon on your desktop, double-click it.
  4. The program will now open to the main screen.
  5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  6. You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  7. The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

  • Open up Ewido
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
  • Close ewido anti-malware.

Reboot.

____________________________________________________

Follow instructions here now. To remove Qoologic.

http://forums.majorgeeks.com/showthread.php?t=74268

_____________________________________________________

Post a new HJT log, and teh ewido log

0

okay here's the first pre-ewido hijack this log.. i clicked on fix the insightbb.com thing (the first r1):

Logfile of HijackThis v1.99.1
Scan saved at 11:20:24 PM, on 5/23/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

ewido and 2nd HJT to follow.
thanks for the help!

0

That's good so far (don't worry about the insightbb entries; they're related to your ISP). Please follow through with the rest of tayspen's instructions and then post the ewido log and new HJT log after that.

0

okay here's ewido and here's HJT:

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:          11:53:09 PM, 5/23/2006
 + Report-Checksum:     1DCE5626

 + Scan result:

    C:\Documents and Settings\Default User\Cookies\system@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.19:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.20:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.21:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.22:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.23:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.24:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.25:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.26:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.27:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Adjuggler : Cleaned with backup
    :mozilla.28:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.29:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.30:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.31:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
    :mozilla.94:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Overture : Cleaned with backup
    :mozilla.104:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.105:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.106:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
    :mozilla.135:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.136:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.137:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
    :mozilla.162:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.163:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.170:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
    :mozilla.180:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup
    :mozilla.194:C:\Documents and Settings\Jooster\Application Data\Mozilla\Firefox\Profiles\5yk27elu.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup


::Report End

and hjt:

Logfile of HijackThis v1.99.1
Scan saved at 3:19:23 AM, on 5/24/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\WINNT\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.insightbb.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insight Broadband
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\Dudez\ProtoWall\ProtoWall.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - [url]http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab[/url]
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - [url]http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab[/url]
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [url]http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab[/url]
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - [url]http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab[/url]
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - [url]http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab[/url]
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

with the three fixes i ran from that link, i only ended up deleting two files... am i wrong in thinking the dates on files are a giveaway? like if something that spyware programs like ewido or spysweeper find was "created on" any date in may 2006 i think it must be bogus and delete it. but if it was "created on" any date like 02/1999 i think it's legit? is that dumb?

anyhow thanks again.

Edited by mike_2000_17: Fixed formatting

0

am i wrong in thinking the dates on files are a giveaway?...

Dates can be a clue, but you shouldn't go by that alone. The operating system and your programs will create or modify different files as part of their normal operation, so the fact that a file was modified/created on a date that you didn't manipulate any files isn't an absolute indication that the file is malware-related.

Some other fators that can help you determine whether a file is malicious or not:

* The exact time of creation/modification. If you find a clump of files whose timestamps (as well as datestamps) are identical or very close, chances are good that the files were created/modified by the same process.

* No identifying information (version #, company name, etc.) in a file's properties pages. Such "anonymous" files are always worth looking into.

* Random or "garbage" filenames. For instance, common sense should indicate that a file named "11Fßä#·ºÄÖ`I" just might be malicious.

* Files whose names are almost identical to normal/legit files: scvhost.exe instead of svchost.exe, for example.

0

By the way- your HJT log is clean, and ewido seems to have nothing aside from cookies. Are you seeing any indications of possibly lingering infections, or do things seem back to normal now?

0

yeah everything seems okay but i'll check back in a few days to make sure it's still clean...

thanks for answering all of those questions and giving me pointers. i'm trying to learn about everything so i don't just have to get a program to do it all for me but windows can be difficult with the hidden files, program files, registry stuff...

any last ideas on how i was getting the same things over and over? was it one lingering file (dvldr32 or whatever) that kept sprouting new ones? or am i doing something dumb?

anyhow, like i said, thanks tons and i'll check back in here in a day or two...

0

i'm trying to learn about everything so i don't just have to get a program to do it all for me but windows can be difficult with the hidden files, program files, registry stuff...

Yes, and those reasons are why we actually prefer to avoid the "manual" removal approach unless as a last resort. The automated anti-malware programs know where to look for the hidden components of the infections and are programmed to safely remove them. Performing malware removal "by hand" can, in the worst case, lead to making some incorrect "fix" which wrecks your computer. At the very least, manual removal quite often leaves some remnants of the infections lurking in your system.

any last ideas on how i was getting the same things over and over? was it one lingering file (dvldr32 or whatever) that kept sprouting new ones? or am i doing something dumb?

That particular infection, like many others, installs other infected files which may/can "respawn" the full infection. The devldr32.exe file is a component of a netwrok worm, so you could also have been reinfected by another (also infected) remote computer.
Since the worm's infection method includes attempting to gain access to computers using well-known ("weak") passwords, one primary way to lessen the chances of reinfection is to use "strong" (8 random characters or more, mixed upper/lower case, mixed letters/punctuation symbols, etc.) passwords on your user accounts, your router or modem, and any other place where passwords are an option.
Many worms, including this one, also attempt to connect to and infect remote machines via certain network ports, so closing all unused ports on your system is recommended. Ports can be blocked by hardware devices such as routers, or by firewall software installed on your computer; having at least one of those protections in place is recommended. Unused ports can also be closed by turning off the Windows Services which use those ports.
The definitive site for information on Windows Services configuration is unfortunately down, but a mirror of its contents can be found here.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.