crash Posted June 6, 2005 Posted June 6, 2005 Wow I really screwed up this time! I downloaded galactic civilizations off bearshare, (yeah I know shouldn't download pirated games,) and I DID scan the file before I unpacked it. The thing is, I forgot to change the scan from "2 layers of compression" to "10 levels of compresion." Pccillin didn't find it when it was compressed but as soon as it was decompressed I watched the trend warning window come up and then the number of threats climb from one to 12 within about 10 seconds. So I've run four different scanners, stinger, ISTbar remover, all in three different OS's on my system. I've run Xsoft spy, adaware, Spybot S&D in windows and before windows loads. I've turned off system restore, booted into safe mode, edited the startup menu and cleaned the registry. I still have stuff coming up! This is crazy! My next step is to boot into a dos shell and run scanners and stuff in there and manually delete files. This has been a lot of work. So if anyone has any ideas besides the "reformat and re-install everything" post away. I've never had to re-format because of a virus and this won't be the time I do it! Even when NETSKY was big. Here is my virus log from pccillin: Log List,,,,,, Time,Scan Type,Source Type,Virus Name,Infected Source,First Action,Second Action 17:09,Real-time Scan,File,TROJ_AGENT.NJ,C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\dealhelper.exe,Quarantine Successful, 17:09,Real-time Scan,File,TROJ_AGENT.NJ,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\EX0VQPEL\dealhelper[1].exe,Quarantine Successful, 17:34,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access, 17:34,Real-time Scan,File,ADW_SIDEFIND.L,C:\Program Files\Internet Optimizer\optimize.exe,Deny Access, 17:34,Real-time Scan,File,ADW_SOLU180.A,C:\program files\180solutions\sais.exe,Deny Access, 17:34,Real-time Scan,File,ADW_NCASE.A,C:\WINDOWS\fqf.exe,Deny Access, 17:34,Real-time Scan,File,SPYW_DYcrapA.E,C:\WINDOWS\nem220.dll,Deny Access, 17:35,Real-time Scan,File,ADW_SIDEFIND.L,C:\Program Files\Internet Optimizer\optimize.exe,Deny Access, 17:35,Real-time Scan,File,ADW_SOLU180.A,C:\program files\180solutions\sais.exe,Deny Access, 17:35,Real-time Scan,File,SPYW_DYcrapA.E,C:\WINDOWS\nem220.dll,Deny Access, 17:35,Real-time Scan,File,ADW_SIDEFIND.L,C:\Program Files\internet optimizer\optimize.exe,Deny Access, 17:35,Real-time Scan,File,ADW_ADAN.021,C:\Program Files\istbar\cmctl.dll,Deny Access, 17:35,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sfbho.dll,Deny Access, 17:35,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sidefind.dll,Deny Access, 17:35,Real-time Scan,File,ADW_SOLU180.A,C:\Program Files\180solutions\sais.exe,Deny Access 17:35,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 17:35,Real-time Scan,File,ADW_SIDEFIND.L,C:\Program Files\Internet Optimizer\optimize.exe,Deny Access 17:35,Real-time Scan,File,ADW_SOLU180.A,C:\program files\180solutions\sais.exe,Deny Access 17:35,Real-time Scan,File,ADW_NCASE.A,C:\WINDOWS\fqf.exe,Deny Access 17:35,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 17:35,Real-time Scan,File,ADW_SIDEFIND.L,C:\Program Files\Internet Optimizer\optimize.exe,Deny Access 17:35,Real-time Scan,File,ADW_SOLU180.A,C:\program files\180solutions\sais.exe,Deny Access 17:35,Real-time Scan,File,ADW_NCASE.A,C:\WINDOWS\fqf.exe,Deny Access 17:35,Real-time Scan,File,SPYW_DYcrapA.E,C:\WINDOWS\nem220.dll,Deny Access 17:35,Real-time Scan,File,ADW_ADAN.021,C:\Program Files\istbar\cmctl.dll,Deny Access 17:35,Real-time Scan,File,ADW_ADAN.021,C:\Program Files\istbar\cmctl.dll,Deny Access 17:35,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 17:35,Real-time Scan,File,ADW_NCASE.A,C:\WINDOWS\fqf.exe,Deny Access 17:35,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sfbho.dll,Deny Access 17:35,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sfbho.dll,Deny Access 17:35,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sfbho.dll,Deny Access 17:37,Real-time Scan,File,SPYW_DYcrapA.E,C:\WINDOWS\nem220.dll,Deny Access 17:37,Real-time Scan,File,ADW_ADAN.021,C:\Program Files\istbar\cmctl.dll,Deny Access 17:37,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sfbho.dll,Deny Access 17:37,Real-time Scan,File,SPYW_DYcrapA.E,C:\WINDOWS\nem220.dll,Deny Access 17:37,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\GCENV.EXE,Deny Access 17:37,Real-time Scan,File,ADW_ADAN.021,C:\Program Files\istbar\cmctl.dll,Deny Access 17:37,Real-time Scan,File,ADW_NCASE.A,C:\WINDOWS\FQF.EXE,Deny Access 17:37,Real-time Scan,File,ADW_ADAN.021,C:\Program Files\istbar\cmctl.dll,Deny Access 17:37,Real-time Scan,File,ADW_NCASE.A,C:\TEMP\NCASEPACKAGE.EXE,Deny Access 17:37,Real-time Scan,File,ADW_ADAN.021,C:\Program Files\istbar\cmctl.dll,Deny Access 17:37,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sfbho.dll,Deny Access 17:38,Real-time Scan,File,ADW_ADAN.021,C:\Program Files\ISTbar\cmctl.dll,Deny Access 17:39,Real-time Scan,File,SPYW_DYcrapA.E,C:\WINDOWS\nem220.dll,Deny Access 19:52,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 19:53,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\GCENV.EXE,Deny Access 19:53,Real-time Scan,File,ADW_NCASE.A,C:\TEMP\NCASEPACKAGE.EXE,Deny Access 20:00,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:00,Real-time Scan,File,ADW_NCASE.A,C:\TEMP\NCASEPACKAGE.EXE,Deny Access 20:01,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\AH0NILUX\istrecover[1].exe,Deny Access 20:01,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\GCENV.EXE,Deny Access 20:01,Real-time Scan,File,ADW_NCASE.A,C:\TEMP\NCASEPACKAGE.EXE,Deny Access 20:01,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\2V2FY5MB\istrecover[1].exe,Deny Access 20:01,Real-time Scan,File,ADW_ISTBAR.O,C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\nyuacuo.exe,Deny Access 20:01,Real-time Scan,File,ADW_NCASE.A,C:\temp\NCasePackage.exe,Deny Access 20:01,Real-time Scan,File,TROJ_DLOADER.MG,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\AH0NILUX\bb[1].exe,Quarantine Successful 20:01,Real-time Scan,File,ADW_NCASE.A,C:\temp\NCasePackage.exe,Deny Access 20:01,Real-time Scan,File,TROJ_DLOADER.MG,C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\bb.exe,Quarantine Successful 20:01,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\AH0NILUX\sfbho13[1].dll,Deny Access 20:01,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sfbho.dll,Deny Access 20:01,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\4PGV4FSF\sidefind13[1].dll,Deny Access 20:01,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sidefind.dll,Deny Access 20:01,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sfbho.dll,Deny Access 20:01,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sidefind.dll,Deny Access 20:01,Real-time Scan,File,ADW_SOLU180.D,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\W5YZ8P6F\ncase_new[1].exe,Deny Access 20:01,Real-time Scan,File,ADW_SOLU180.D,C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\sais.exe,Deny Access 20:01,Real-time Scan,File,ADW_ADAN.021,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\0DK3K3W3\cmctl[1].dll,Deny Access 20:01,Real-time Scan,File,ADW_ADAN.021,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\KXYZC1AR\cmctl[1].dll,Deny Access 20:01,Real-time Scan,File,ADW_ADAN.021,C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\cmctl.dll,Deny Access 20:01,Real-time Scan,File,SPYW_WEBSEARCH.A,C:\temp\EDowPack.exe,Deny Access 20:01,Real-time Scan,File,ADW_SAHAGENT.E,C:\temp\sahagent-cdt1004.exe,Deny Access 20:01,Real-time Scan,File,SPYW_WEBSEARCH.A,C:\temp\EDowPack.exe,Deny Access 20:01,Real-time Scan,File,ADW_SAHAGENT.E,C:\temp\sahagent-cdt1004.exe,Deny Access 20:01,Real-time Scan,File,SPYW_WEBSEARCH.A,C:\temp\EDowPack.exe,Deny Access 20:01,Real-time Scan,File,ADW_SAHAGENT.E,C:\temp\sahagent-cdt1004.exe,Deny Access 20:03,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sidefind.dll,Deny Access 20:03,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\GCENV.EXE,Deny Access 20:03,Real-time Scan,File,ADW_NCASE.A,C:\TEMP\NCASEPACKAGE.EXE,Deny Access 20:03,Real-time Scan,File,ADW_SIDEFIND.C,C:\Program Files\SideFind\sfbho.dll,Deny Access 20:04,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:06,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:07,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:07,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:07,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temp\optimize.exe,Deny Access 20:08,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:09,Real-time Scan,File,ADW_ISTBAR.O,C:\windows\gcenv.exe,Deny Access 20:10,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temp\nyuacuo.exe,Deny Access 20:10,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temp\optimize.exe,Deny Access 20:10,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\2V2FY5MB\istrecover[1].exe,Deny Access 20:10,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\3P23GTU7\optimize[1].exe,Deny Access 20:10,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\4PGV4FSF\sidefind13[1].dll,Deny Access 20:10,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\AH0NILUX\sfbho13[1].dll,Deny Access 20:10,Real-time Scan,File,ADW_ADAN.021,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\KXYZC1AR\cmctl[1].dll,Deny Access 20:10,Real-time Scan,File,ADW_SOLU180.D,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\W5YZ8P6F\ncase_new[1].exe,Deny Access 20:11,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temp\nyuacuo.exe,Deny Access 20:11,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temp\optimize.exe,Deny Access 20:11,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\2V2FY5MB\istrecover[1].exe,Deny Access 20:11,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\GCENV.EXE,Deny Access 20:11,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\3P23GTU7\optimize[1].exe,Deny Access 20:11,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\4PGV4FSF\sidefind13[1].dll,Deny Access 20:12,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\AH0NILUX\sfbho13[1].dll,Deny Access 20:12,Real-time Scan,File,ADW_ADAN.021,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\KXYZC1AR\cmctl[1].dll,Deny Access 20:12,Real-time Scan,File,ADW_SOLU180.D,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\W5YZ8P6F\ncase_new[1].exe,Deny Access 20:13,Real-time Scan,File,SPYW_WEBSEARCH.A,C:\temp\EDowPack.exe,Deny Access 20:13,Real-time Scan,File,ADW_NCASE.A,C:\temp\NCasePackage.exe,Deny Access 20:13,Real-time Scan,File,ADW_SAHAGENT.E,C:\temp\sahagent-cdt1004.exe,Deny Access 20:13,Real-time Scan,File,ADW_SOLU180.D,C:\temp\salm.exe,Deny Access 20:14,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\GCENV.EXE,Deny Access 20:15,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:23,Real-time Scan,File,ADW_ISTBAR.O,C:\windows\gcenv.exe,Deny Access 20:23,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\GCENV.EXE,Deny Access 20:23,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:24,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:24,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:24,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:24,Real-time Scan,File,ADW_ISTBAR.O,C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\nyuacuo.exe,Deny Access 20:24,Real-time Scan,File,ADW_SIDEFIND.L,C:\DOCUME~1\CHRISS~1\LOCALS~1\Temp\optimize.exe,Deny Access 20:24,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temp\optimize.exe,Deny Access 20:24,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access 20:34,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temp\nyuacuo.exe,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temp\optimize.exe,Deny Access 20:34,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\GCENV.EXE,Deny Access 20:34,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\2V2FY5MB\istrecover[1].exe,Deny Access 20:34,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\2V2FY5MB\ISTREC~1.EXE,Deny Access 20:34,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\2V2FY5MB\istrecover[1].exe,Deny Access 20:34,Real-time Scan,File,ADW_ISTBAR.O,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\2V2FY5MB\ISTREC~1.EXE,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\3P23GTU7\optimize[1].exe,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\3P23GTU7\OPTIMI~1.EXE,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\3P23GTU7\optimize[1].exe,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.L,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\3P23GTU7\OPTIMI~1.EXE,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\4PGV4FSF\sidefind13[1].dll,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\4PGV4FSF\SIDEFI~1.DLL,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\4PGV4FSF\sidefind13[1].dll,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\4PGV4FSF\SIDEFI~1.DLL,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\AH0NILUX\sfbho13[1].dll,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\AH0NILUX\SFBHO1~1.DLL,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\AH0NILUX\sfbho13[1].dll,Deny Access 20:34,Real-time Scan,File,ADW_SIDEFIND.C,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\AH0NILUX\SFBHO1~1.DLL,Deny Access 20:35,Real-time Scan,File,ADW_ADAN.021,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\KXYZC1AR\cmctl[1].dll,Deny Access 20:35,Real-time Scan,File,ADW_ADAN.021,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\KXYZC1AR\CMCTL_~1.DLL,Deny Access 20:35,Real-time Scan,File,ADW_ADAN.021,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\KXYZC1AR\cmctl[1].dll,Deny Access 20:35,Real-time Scan,File,ADW_ADAN.021,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\KXYZC1AR\CMCTL_~1.DLL,Deny Access 20:35,Real-time Scan,File,ADW_SOLU180.D,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\W5YZ8P6F\ncase_new[1].exe,Deny Access 20:35,Real-time Scan,File,ADW_SOLU180.D,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\W5YZ8P6F\NCASE_~1.EXE,Deny Access 20:35,Real-time Scan,File,ADW_SOLU180.D,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\W5YZ8P6F\ncase_new[1].exe,Deny Access 20:35,Real-time Scan,File,ADW_SOLU180.D,C:\Documents and Settings\Chris Scott\Local Settings\Temporary Internet Files\Content.IE5\W5YZ8P6F\NCASE_~1.EXE,Deny Access 20:43,Real-time Scan,File,SPYW_WEBSEARCH.A,C:\temp\EDowPack.exe,Deny Access 20:43,Real-time Scan,File,ADW_NCASE.A,C:\temp\NCasePackage.exe,Deny Access 20:43,Real-time Scan,File,ADW_NCASE.A,C:\temp\NCASEP~1.EXE,Deny Access 20:43,Real-time Scan,File,ADW_NCASE.A,C:\temp\NCasePackage.exe,Deny Access 20:43,Real-time Scan,File,ADW_NCASE.A,C:\temp\NCASEP~1.EXE,Deny Access 20:43,Real-time Scan,File,ADW_SAHAGENT.E,C:\temp\sahagent-cdt1004.exe,Deny Access 20:43,Real-time Scan,File,ADW_SAHAGENT.E,C:\temp\SAHAGE~1.EXE,Deny Access 20:43,Real-time Scan,File,ADW_SAHAGENT.E,C:\temp\sahagent-cdt1004.exe,Deny Access 20:43,Real-time Scan,File,ADW_SAHAGENT.E,C:\temp\SAHAGE~1.EXE,Deny Access 20:43,Real-time Scan,File,ADW_SOLU180.D,C:\temp\salm.exe,Deny Access 20:43,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\GCENV.EXE,Deny Access 20:45,Real-time Scan,File,ADW_ISTBAR.O,C:\WINDOWS\gcenv.exe,Deny Access Share this post Link to post Share on other sites More sharing options...
anthony Posted June 6, 2005 Posted June 6, 2005 owch Lesson learned ? Share this post Link to post Share on other sites More sharing options...
RadioActivated Posted June 6, 2005 Posted June 6, 2005 That'll teach ya...to do it the right way..HAHA Share this post Link to post Share on other sites More sharing options...
Coolzero101 Posted June 6, 2005 Posted June 6, 2005 The best thing is to have 2 windows installs, if this happens you can log in with the other one and run all the spy removers you can think of and you wont get access denied errors, and if you do you can change the file permissions without worying. Share this post Link to post Share on other sites More sharing options...
Blue_cow Posted June 6, 2005 Posted June 6, 2005 Ouch. I hope you get that all sorted out man. Share this post Link to post Share on other sites More sharing options...
Guest Jeremy Posted June 6, 2005 Posted June 6, 2005 Like you said, I would boot into DOS and run a scan from there. Share this post Link to post Share on other sites More sharing options...
slapnuts Posted June 6, 2005 Posted June 6, 2005 read this page from Symantics about Downloader.Trojan http://www.symantec.com/avcenter/venc/data...der.trojan.html u will have to turn off ur System Restore, then run ur anti-virus scan again in "Safe Mode" to remove all the files detected as Downloader.Trojan. There are instructions at the above link to show you how to turn off System Restore and how to run ur system in Safe Mode. I would try the above first, then i would do a scan with HijackThis to see if there is anything else lurking. You can get HijackThis from here: http://www.tomcoyote.org/hjt/ There are instructions there to follow, but do not *fix* anything yet that HijackThis lists as most things listed are needed and not harmful. You could post ur HijackThis log (save it and copy and past it here) so we can have a look and advise you what might still need to be fixed. GL and I hopes this helps Share this post Link to post Share on other sites More sharing options...
crash Posted June 6, 2005 Posted June 6, 2005 Well I'm getting there. I do have three OS on that rig so I have tried cleaning in the un-affected OS too. I'm right in the middle of scanning again, and after that I will use AVG dos and then pst a hijack this log. I think I got them all:Hijackthis log Logfile of HijackThis v1.99.1 Scan saved at 12:49:13 AM, on 06/06/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\cisvc.exe C:\Program Files\CPUCooL\CooLSrv.exe C:\Program Files\Folding@Home\srvany.exe C:\WINDOWS\System32\snmp.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe C:\Program Files\Trend Micro\Internet Security\tmproxy.exe C:\Program Files\Trend Micro\Internet Security\pccguide.exe C:\Program Files\Trend Micro\Internet Security\PCClient.exe C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe C:\Program Files\WZCBDL Service\WZCBDLS.exe C:\WINDOWS\SOUNDMAN.EXE C:\Program Files\D-Link\Air USB Utility\AirCFG.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Raxco\PerfectDisk\PDSched.exe C:\Program Files\Trend Micro\Internet Security\PccPfw.exe C:\WINDOWS\system32\cidaemon.exe C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [ZDWLAN.EXE] ZDWLAN.EXE O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe" O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe" O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applets/entru...sapplet-epf.cab O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-beta.trendmicro.com/housecall/xscan60.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {2E28242B-A689-11D4-80F2-0040266CBB8D} (KXHCM10 Control) - http://live1000r.homeip.net:81/kxhcm10.ocx O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-24.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by107fd.bay107.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fordtruckworld.tenmagazines.com/XUpload.ocx O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: CPUCooLServer Service (CPUCooLServer) - Unknown owner - C:\Program Files\CPUCooL\CooLSrv.exe O23 - Service: Folding@Home - Unknown owner - C:\Program Files\Folding@Home\srvany.exe O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe Share this post Link to post Share on other sites More sharing options...
Ste Posted June 6, 2005 Posted June 6, 2005 Sorry, but is there a "HIJACKTHIS" boot Camp cause Id love to know how to use it effectivly. Not to topic steal, but so i could help. Share this post Link to post Share on other sites More sharing options...
crash Posted June 6, 2005 Posted June 6, 2005 Sorry, but is there a "HIJACKTHIS" boot Camp cause Id love to know how to use it effectivly. Not to topic steal, but so i could help. 488113[/snapback] I suppose there is somewhere ( ) but all I usualy do is look through the log for suspicious entries and then them. It's nice to have a few different people look through though cause then you don't miss anything! Share this post Link to post Share on other sites More sharing options...
Bosco Posted June 6, 2005 Posted June 6, 2005 I had a computer in here at work last week that I had to fix and get this the final count of spyware was over 2800.... The most I had ever seen before that was 1465 so ya I was a little shocked. Share this post Link to post Share on other sites More sharing options...
Hienrich Jager Posted June 6, 2005 Posted June 6, 2005 Yeah, dl'ing games can be really bad..... Anyways, WHOLY CRAP YOU HAVE ALOT OF ENTRIES IN HIJACK THIS!!! The most I have ever seen is like 20-30! Let Share this post Link to post Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now