Sorry i posted this in the antiviral forum first, but was hoping someone could look at my log and give me some insight.

I am at my wits end trying to clean an infection from my PC. Any ideas you have would be very welcome.

XP, SP2, harddrive runs continuously. PC runs very slowly. Norton Scans indicate w32.jeefo infection on files in windows\temp\tmp1.tmp, tmp2.tmp etc. all are 361120 bytes. Also finds one infected file in Norton\Savrt\0000~NAV.tmp.

I turned off system Restore.

I show hidden files and delete the tmp files, to no effect.

Norton can not clean files when run in safe mode, but will delete them.

Sophos jeefogui does not find anything. I ran it from the website, from a USB and from the harddrive. Also ran it in Safemode and regular mode.

I have run current Adaware and spybot S+D and cleaned allowed them to clean - everything they found.

I can not find any reference to a powermanager or svchost.exe in the %windows% directory

I also downloaded and ran LQfix - although it seemed busy for some time, the problem remains.

Edit: Please only post HJT logs as attachments, Thanks, LGW


Thanks in advance for any suggestions.

Attached Files

HJT log.txt (10.1 KB, 0 views)

Looks like you will have to stop it from running in the registry.Everytime you startup if gets put in that temp file and thats why it keeps getting bigger.

http://www.google.com.au/url?sa=U&st...fo.html&e=9797

Hey Guys,

@Pancake, let's try some less potentially dangerous removal first, OK?

I worry about instructing folks who aren't familiar, to edit their registry.

@Jmelo,

My welcome to you as well. Let's see if we can't get this thing to stop before it eats your home town. LOL. But Pancake is correct about you reinfecting yourself.

Can you please try this;
Download Spy Sweeper from my signature, also RegSupremePro, Install and update Spy Sweeper. Open the PreWork instructions from my signature, and download, CCleaner, and ewido. Install and update them as well.

Now empty your recycling and empty and disable your Norton Protected Recycling, and everything from your quarrantine files.

Please make sure that your System Restore, and if you use it. Norton's Go Back, and Ghost, are disabled.

Now boot into Safe Mode, and stay there for the entire fix.

First run CCleaner, make sure ALL options are selelcted, including Advanced, answer OK to all warnings. Click on Analyze, the Run Cleaner. Next click on Issues, make sure all options are selected, click on Scan for Issues, then Fix Selected Issues, and let it fix all that it finds.

Now run a full system scan with ewido, let it fix everything that it finds. Please save the log.

Next run Spy Sweeper, under options, make sure that all options are selected except Do Not Sweep System Restore Folders. Run a full system scan, let it fix everything that it finds. Please also save a log to post back here.

Now run RegSupremePro, it will want to create a back up of your cache, let it. Click on the Registry Cleaning Tab, choose Advanced. When it has finished, click on Select, choose All, click on Fix, and let it fix anything that it finds.

Run CCleaner again, and reboot into regular mode. Run Housecall from the link on your desktop, let it clean everything that it finds. Rerun HijackThis, and fix the following if you do not recognize it,
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl

Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
Then please rerun HJT to save a log, and post all of the logs from your fix.

Also, I would download Shoot the Messenger from my signature, your Windows Messenger is enabled, and leaving you open to popup attacks.

Looking forward to your reply,

TTFN

LGW

Whew, I think I have everything as you instructed. I did not find a shortcut to Housecall on my desktop, but did find the website and run it.

The pc is still slow, and Norton continues to taunt me with the next \windows\temp??.tmp.

It started out Hot and muggy here near Ithaca, NY but turned into cool and rainy today. Not a bad day to mentally pace around my PC.

Thanks for taking the time to look over this and give me ideas, because I was empty.

I forgot about "Kill the messenger" until just now, but I will install that next.

Thanks,

Look forward to your answer Lady Greenwitch.

Jmelo

Attached Files

	hijackthis.log (10.6 KB, 3 views)
	spysweeper.log (1.0 KB, 3 views)
	Report-Scan-20060625-133453.txt (13.9 KB, 3 views)

Should you still find that you are still getting all those temp files,these instructions will stop it from regenerating from within the registry.

Copy and paste all this from within the box into Notepad then go to FILE and SAVE AS. "All Files" must be selected in the "Save as Type" box. In that box type Fix.reg and save it to your Desktop.Double click to merge it to the registry

Good one Pancake, but I think you meant NotePAD, LOL.

@Jmelo, it sounds as if Norton may be holding on to part of this infection as well.

Let me look at the logs to make sure everything cleaned OK, brb.

TTFN

LGW

Sorry Jmelo, I just read my other post, I had intended to edit my post to add that you should download the Housecall link to your desktop.

When you ran ewido, did you tell it to fix everything that it found? It ignored everything that it found.

Please follow the part of the instructions again upto and including the ewido scan. Make sure that when the first warning comes up, you choose to fix it, and mark that it should do the same with everything that it finds.

Looking forward to your reply,

TTFN

LGW