0

Hello, my girlfriend's computer got this, "guard.tmp" and alot of other spyware after downloading and installing youtubegrabbrv1.zip from download.com. Here is the hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 8:41:19 PM, on 9/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CD Storage Master] C:\Program Files\CD Storage Master\CDStorager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dksde0d9] RUNDLL32.EXE w5cbd709.dll,n 004de0d5000000035cbd709
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kwinqpes.exe ELT001
O4 - HKLM\..\Run: [sys0368639612-18] C:\WINDOWS\sys0368639612-18.exe
O4 - HKLM\..\Run: [win320912-18686396] C:\WINDOWS\win320912-18686396.exe
O4 - HKLM\..\Run: [sys11-1868639612] C:\WINDOWS\sys11-1868639612.exe
O4 - HKLM\..\Run: [nkelaqg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nkelaqg.dll,iisxisc
O4 - HKLM\..\Run: [qpcsulwA] C:\WINDOWS\qpcsulwA.exe
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Startup: SSH Tectia Broker.lnk = ?
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinqpes.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,37
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you.

Corinn

Also, she can't get on the internet, even though she is connected and can access my computer. We use a router.

3
Contributors
7
Replies
8
Views
10 Years
Discussion Span
Last Post by Corinn
0

Well, first of all if her computer is infected you should take her off of your network. Some trojans spread through network shares.

Once that is done, you should download the following programs from download.com :

AdAware SE personal edition
Spybot Search and Destroy
Spywareblaster

AVG free edition anti-virus.

If she can't access the internet, you will have to download them for her and burn to CD or transfer to some type of removable media (flash drive, external USB hard drive, etc).

Once installed on her system, run all scans from safe mode. Then restart and select safe mode with networking. You will need to update all of these programs with the most recent definitions and run scans again.

If the first run of scans does not repair her internet connection, try googling "winsockXP fix", install this program to her computer and run it.

To boot the computer into safe mode: restart and continuously tap F8 until the options screen appears. Make your selection from the list.

I hope this helps!

-Kev

0

Thank you for your reply. I am running the programs now. hopefully that's solve some of, if not all the problem. Anything on the HiJackThis log that I need to fix?

Cor

0

Sorry, I've been out on a job all day.

I'll look at the log in a little bit (setting up a new system for a guy who had his tower stolen today). Did you have any luck cleaning it up with those programs?


-Kev

0

I think things are good. She has internet now, but still some bugs. here is a new HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 3:32:10 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CD Storage Master] C:\Program Files\CD Storage Master\CDStorager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [dksde0d9] RUNDLL32.EXE w5cbd709.dll,n 004de0d5000000035cbd709
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kwinqpes.exe ELT001
O4 - HKLM\..\Run: [win320912-18686396] C:\WINDOWS\win320912-18686396.exe
O4 - HKLM\..\Run: [nkelaqg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\nkelaqg.dll,iisxisc
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O4 - Startup: SSH Tectia Broker.lnk = ?
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinqpes.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,37
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again.

Cor

0

Sorry, I should have been more clear with the programs mentioned. Be sure to uninstall any other anti-virus programs you have running. It is not good to have more then one resident AV program running at a time. Stick with either Ewido or AVG, but not both.

Also, Norton is an extreme resource hog. Just the act of uninstalling it should speed up her computer considerably (as you can see by the multiple entries from symantec on your HJT log). Also, after uninstalling all symantec-related items from the add/remove programs list, be sure to go to c-drive, program files and delete any leftover symantec or Norton folders.

Remove these:

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O4 - HKLM\..\Run: [dksde0d9] RUNDLL32.EXE w5cbd709.dll,n 004de0d5000000035cbd709

Rundll32.exe should be running from anywhere but the system 32 folder.

Another good clean up tool is ccleaner. I'd suggest downloading it and cleaning all the excess crap that is left after uninstalls and spyware removal.

0

ewido is primarily an antispyware and will work fine with avg( i use both). but avg and norton will clash. if you need to take norton out, once uninstalled you will need to run the norton removal tools from their website 1st SymNRT to remove any remnants then Sysclean to take it out of the registry properly

0

Thank you guys, I now only have Ewido and AVG. Here is the new TJH log. Thank you again everyone for your help.

Logfile of HijackThis v1.99.1
Scan saved at 9:20:45 PM, on 9/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CD Storage Master\CDStorager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
O4 - HKLM\..\Run: [CD Storage Master] C:\Program Files\CD Storage Master\CDStorager.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [hp Update 3300C] C:\sj650\hpupdate.exe 3300C+
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BitComet] "C:\Program Files\BitComet\BitComet.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
O16 - DPF: {E9A7F56F-C40F-4928-8C6F-7A72F2A25222} (AxRUploadControl Object) - http://www.imagestation.com/common/classes/SonyISUpload.cab?v=1,0,0,37
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

Cor

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.