Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Task Manager, MSConfig [resolved]


  • This topic is locked This topic is locked

#16
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Scan with updated AdAwareSE (there were not updates avail. since I last ran the previous scan) detected no new spyware and did not remove anything. I dont know if that is good or bad, but that is what happened. :tazz:
  • 0

Advertisements


#17
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

Reboot into safemode

Using Windows Explorer Delete the following files if found

C:\WINDOWS\system32\cd_clint.dll<--Delete this file

C:\WINDOWS\NDNuninstall*.exe<--Delete this file

C:\DOCUME~1\Customer\LOCALS~1\Temp\bundle.inf<--Delete this file

C:\WINDOWS\system32\FLEOK<--Delete this file

C:\DOCUME~1\Customer\LOCALS~1\Temp\TVMUpdater.exe<--Delete this file

C:\WINDOWS\artmmp.ini<--Delete this file

C:\WINDOWS\inf\localNRD.inf<--Delete this file

C:\WINDOWS\system32\osconfig.dll<--Delete this file

C:\WINDOWS\system32\Cards.ico<--Delete this file

Reboot as you normaly would

Then see if any off the above file are still their

Kc :tazz:
  • 0

#18
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Deleted all the files in safe mode. After robooting in normal mode, I could not find any of the files.
  • 0

#19
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

Please run the following free, online virus scans.

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#20
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
TrendMicro still shows no infections. Here is the log from the Panda Scan (down to 5 :tazz:) :

Incident Status Location

Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\Temp\salm.???
Adware:Adware/BHO No disinfected Windows Registry
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Spyware:Spyware/RealSpy No disinfected Windows Registry

Logfile of HijackThis v1.99.0
Scan saved at 3:34:25 PM, on 3/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\avast\ashDisp.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\avast\ashMaiSv.exe
C:\avast\ashWebSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#21
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

HJT.log is clean

Reboot to safemode

Using Windows Explorer

C:\Temp\salm.???<--Delete the whole folder
C:\WINDOWS\system32\fiz1<--Delete this file

Reboot as you normaly would

rerun the panda scan and HJT post the logs

Kc :tazz:
  • 0

#22
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Hi thatman! Deleted the files you said to delete. New Panda scan:

Incident Status Location

Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\msbb*
Adware:Adware/BHO No disinfected Windows Registry
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\kyf.dat
Spyware:Spyware/RealSpy No disinfected Windows Registry

Logfile of HijackThis v1.99.0
Scan saved at 10:22:54 AM, on 3/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\avast\ashDisp.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\avast\ashMaiSv.exe
C:\avast\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#23
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

HJT.log is clean

Reboot to safemode

Using Windows Explorer

C:\WINDOWS\system32\kyf.dat <--Delete the whole folder
C:\WINDOWS\msbb* <--Delete this file

Reboot as you normaly would

rerun the panda scan and HJT post the logs

Kc :tazz:
  • 0

#24
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
thatman is DA MAN!!!
Deleted files you suggested. Following is the new Panda Scan Log (Down to 1!!!!!!!) :tazz:
I dont know if it matters, but I still have not been able to delete "C:\WINDOWS\SYSTEM32\svchosta.exe" It still tells me it it being used by another program.

Incident Status Location

Adware:Adware/MyWay No disinfected Windows Registry

Logfile of HijackThis v1.99.0
Scan saved at 11:40:39 AM, on 3/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\avast\ashDisp.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\POPUPS~1\POP-UP~1\PSFree.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\avast\ashWebSv.exe
C:\avast\ashMaiSv.exe
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#25
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

How to take ownership of a file or folder in Windows XP

Restart into Safe mode and find this file:

C:\WINDOWS\SYSTEM32\svchosta.exe

Right click on the file and choose properties.
Use the security tab on the exe or .dll and take ownership.
Change the 'everyone special' to
'you> with Admin rights-> FULL control
Then try to delete it, if that fails try to rename
it first to different name+ext.
Example:
ctl.dll>bleh.txt
bleh.txt > badfile.111

Once you have successfully deleted the file restart into Regular Windows mode.

Post back a fresh HijackThis log and we'll take another look.

Kc :tazz:
  • 0

Advertisements


#26
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
I still could not delete the file, It says that the file is being used by another person or program. Any other ideas?

Logfile of HijackThis v1.99.0
Scan saved at 7:54:05 AM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\avast\ashDisp.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\POPUPS~1\POP-UP~1\PSFree.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\avast\ashMaiSv.exe
C:\avast\ashWebSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#27
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Well I stumbled across something and was able to delete svchosta.exe. I thought I would let you know how I did it. I noticed when searching for info on the file that it seemed to be connected with kazaa, however kazaa did not show up in add or remove programs in control panel. I did , however, see it under tools in the CCleaner utility that I downloaded. I uninstalled kazaa then was able to delete svchosta.exe in safe mode. :tazz: My mozilla is acting a little strange right now, I dont know if that is related or not. I will scan with panda again and post results.
Thanks again!!!!!!!!
  • 0

#28
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Still one spyware showing up on Panda Scan:

Incident Status Location

Adware:Adware/MyWay No disinfected Windows Registry

Logfile of HijackThis v1.99.0
Scan saved at 10:33:43 AM, on 3/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\paprport\pptd40nt.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\avast\ashDisp.exe
C:\ZoneAlarm\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\avast\aswUpdSv.exe
C:\avast\ashServ.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\avast\ashMaiSv.exe
C:\avast\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Customer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\spybot\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PaperPort PTD] c:\paprport\pptd40nt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [avast!] C:\avast\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\ZoneAlarm\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\POPUPS~1\POP-UP~1\PSFree.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\bundle\McAfee\ACROREAD\WIN9X_NT\yahoo\Messenger\yhexbmes0819.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: avast! iAVS4 Control Service - Unknown - C:\avast\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown - C:\avast\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\avast\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\avast\ashWebSv.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#29
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi sportspeddler1

Please download Advanced Uninstaller PRO 2004
Advanced Uninstaller PRO 2004
Lets see if this will clean up the loose ends.

Download the fully working demo program you have a 30 day free trial with it, when you have download the program unzip it it will create it own directory.

Run the program and click on Registry cleaner, follow the directions from the program and let it clean your Registry.
This is a very good and safe program I have been using it for a number off years and have not had any problems.
When the free 30 days trial is up just uninstall the program.

When the program has finnished close it. Reboot your Pc And post a new HJT.Log

Kc :tazz:
  • 0

#30
sportspeddler1

sportspeddler1

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 106 posts
Any idea why my mozilla firefox would not be working correctly now? I cant open yahoo mail in it and the geekstogo page is all jumbled up in it and no blue background or anything.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP