Computer running VERY slow (Hijack This log) - Geeks to Go Forums

Jump to content

Log in Register Register Malware removal guide How it works

Computer running VERY slow (Hijack This log) Please help!

#1 FunkyMunkey

  • Group: Member
  • Posts: 15
  • Joined: 28-May 06

Posted 28 May 2006 - 01:06 PM

My computer's been running slow for a while now, and I want to try and finally fix it. It takes a loooong time to do anything. It takes about almost 10 minutes to boot up completely, 5 minutes to shut down, 10-15 seconds to open folders inside my computer, and around 3 times as long to open files and programs as it should take.

I have Norton Anti-Virus, Spybot S&D, and Ad-Aware SE Personal. All say my computer is clean.

Please help me. Any I receive is GREATLY appreciated. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 11:40:55 AM, on 5/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\AVerTV\QuickTV.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - <default> - (no file)
O1 - Hosts: 64.12.152.18 search.netscape.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezkrpbpx] c:\windows\system32\ezkrpbpx.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZCxdm235XXUS
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

(END)

Thanks again!

#2 Noviciate

  • Group: Malware Removal
  • Posts: 1,563
  • Joined: 24-April 06

Posted 28 May 2006 - 01:26 PM

Run the following scan: Kaspersky Online Scanner.
When you see "Please select a target to scan", click on "My Computer".
When the scan has completed and the results are displayed, click on the Save as text button and save the report with an appropriate name to your Desktop.
Copy and paste this report into your next reply.

Also, run HJT and click on Open the Misc Tools section.
In the next window, click on Open Uninstall Manager...
In the final window, click on Save list... and save it to your Desktop.
Copy and paste this file: uninstall_list.txt into your next reply.

#3 FunkyMunkey

  • Group: Member
  • Posts: 15
  • Joined: 28-May 06

Posted 28 May 2006 - 03:55 PM

Kaspersky Report:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, May 28, 2006 2:54:32 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 28/05/2006
Kaspersky Anti-Virus database records: 185030
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52709
Number of viruses found: 17
Number of infected objects: 41
Number of suspicious objects: 2
Duration of the scan process: 01:48:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04B874C7.exe Infected: Trojan-Downloader.Win32.Intexp.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A543F17.exe Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AB62AAB.dll Infected: Trojan-Downloader.Win32.Keenval.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AB954A7.exe Infected: Trojan-Downloader.Win32.Intexp.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0ADA7883.exe Infected: Trojan-Downloader.Win32.Stubby.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B221434.tmp/ Infected: Trojan-Downloader.Win32.Agent.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B221434.tmp MS Expand: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B221434.tmp Cexe: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B221434.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B35101F.exe Infected: Trojan-Downloader.Win32.Dyfuca.cy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B3C6418.exe Infected: Trojan-Downloader.Win32.Dyfuca.da skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B3F0E14.exe Infected: Trojan-Downloader.Win32.Agent.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B46620D.tmp Infected: Trojan-Downloader.Win32.Intexp.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B490C09.tmp Infected: Trojan-Downloader.Win32.Keenval.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B5D07F4.tmp Infected: Trojan-Clicker.Win32.Delf.r skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B635BEC.tmp/ Infected: Trojan-Downloader.Win32.Agent.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B635BEC.tmp MS Expand: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B635BEC.tmp Cexe: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B635BEC.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B6D59E2.tmp/data0002 Infected: Trojan-Downloader.Win32.Keenval.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B6D59E2.tmp/data0003 Infected: Trojan-Downloader.Win32.Keenval.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B6D59E2.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B6D59E2.tmp CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B9127BA.tmp/data0002 Infected: Trojan-Downloader.Win32.Keenval.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B9127BA.tmp/data0003 Infected: Trojan-Downloader.Win32.Keenval.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B9127BA.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B9127BA.tmp CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BAB779D.exe Infected: Trojan-Dropper.Win32.Delf.z skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0EA970C4.exe Infected: Trojan.Win32.Agent.ay skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1A4014A6.tmp Infected: Trojan-Downloader.Win32.Dyfuca.da skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54B472D3.htm Infected: Trojan-Downloader.JS.Small.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60552BE0.dll Infected: Trojan-Downloader.Win32.Dyfuca.ew skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E5E3DDC.tmp Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E683BD1.exe Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E683BD1.tmp Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\Julie Martin\Local Settings\Application Data\Microsoft\MSN\db\windwizard777-msn-com.459/[From ealif <ealif@xesre.r>][Date Wed, 25 Jun 2003 14:10:17 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Julie Martin\Local Settings\Application Data\Microsoft\MSN\db\windwizard777-msn-com.459 Mail: suspicious - 1 skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179727.exe/SETUP_POWERSEARCH.EXE/data0007 Infected: Trojan-Downloader.Win32.Keenval.n skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179727.exe/SETUP_POWERSEARCH.EXE Infected: Trojan-Downloader.Win32.Keenval.n skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179727.exe ZIP: infected - 2 skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179729.exe/SETUP_POWERSEARCH.EXE/data0007 Infected: Trojan-Downloader.Win32.Keenval.n skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179729.exe/SETUP_POWERSEARCH.EXE Infected: Trojan-Downloader.Win32.Keenval.n skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179729.exe ZIP: infected - 2 skipped

Scan process completed.

Hijack This uninstall_list:

ActionReplay Xbox
Ad-Aware SE Personal
Adobe Acrobat 5.0
AdobeŪ PhotoshopŪ Album Starter Edition 3.0
AOL Instant Messenger
AVerTV
Bink and Smacker
BitTorrent 3.4.2
ccCommon
Conexant HSF V92 56K Data Fax PCI Modem
Dell Solution Center
DellTouch
DivX
DivX Player
Easy CD Creator 5 Basic
EPSON Printer Software
HijackThis 1.99.1
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP Image Zone Express
HP PSC & OfficeJet 4.7
HP Software Update
Image Transfer
Intel Application Accelerator
Internet Explorer Q903235
Internet Worm Protection
iPod for Windows 2005-06-26
iTunes
J2SE Runtime Environment 5.0 Update 3
Java 2 Runtime Environment, SE v1.4.2_05
Kaspersky On-line Scanner
LimeWire 4.10.9
LiveUpdate 3.0 (Symantec Corporation)
Lord of the Rings Return of the King 3D Screen
Lord of the Rings: Return of the King 3D Screen Saver v3.0
Macromedia Shockwave Player
Mah Jong Medley
Mah Jong Quest™
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
Microsoft Learning and Research Plus Support Files
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Web Publishing Wizard 1.52
Microsoft Word 2002
Microsoft Works 2002 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Microsoft XML Parser and SDK
Modem Helper
Mozilla Firefox (1.5.0.3)
MSN Internet Software
MSN Music Assistant
MSXML 4.0 SP2 Parser and SDK
NAVShortcut
Night of the Living Dread Wallpaper
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
Query Spree v1.1.1
QuickTime
RealPlayer
Roll
SBC Yahoo! Applications
SBC Yahoo! DSL Home Networking Installer
Search Basket
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Serif DrawPlus 3.0
Shockwave
Shockwave Player
Snowy Scenes Full Screen Saver
Sound Blaster Live! Value
SPBBC
Spybot - Search & Destroy 1.4
StyleXP (remove only)
Super Mah Jong
Symantec
SymNet
Ulead Photo Express 3.0 SE
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Connect
Windows Media Format Runtime
Windows Media Player 10
Windows SA
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
XBC 5.1

Thanks, I really appreciate it!

#4 FunkyMunkey

  • Group: Member
  • Posts: 15
  • Joined: 28-May 06

Posted 28 May 2006 - 04:03 PM

There's a few things in that uninstall_list that I NEVER use anymore that I could do without. Just saying :whistling: .

#5 Noviciate

  • Group: Malware Removal
  • Posts: 1,563
  • Joined: 24-April 06

Posted 28 May 2006 - 05:06 PM

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of Ewido Anti-Malware from here and save it to your Desktop.
When the download has finished, locate ewido-setup.exe and double click it to begin installation.
**If you already have Ewido installed, update it and go to 2)**

In the 'Additional Options' window, uncheck:
'Install required for automatic updates (background guard)'.

When installation is complete, you will need to update Ewido to the latest definition files.
To do this:
Double click the Ewido Desktop icon.
In the main screen, on the left hand side, click Update.
In the following screen, click Start Update

A progress bar will show how the update is going. When it has finished updating, close it.

If you have problems with the updater, you can manually update Ewido.
Click here and save ewido-signatures-full-current.exe to your Desktop.
All you need to do then is to double-click it, click Install and then, when it has finished, Close.

Ewido Anti-Malware is designed to be used to both scan for and remove malicious files and also to run alongside, but not replace, your existing anti-virus program to give an added layer of protection.
However, as the real-time protection may interfere with the fixing of your PC, this function will have been disabled as long as you followed the installation instructions correctly.
At the end of the trial period, Ewido will revert to a stand-alone scanner which you can keep and update for free and use in a similar way to Ad-Aware SE Personal.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this simply open it and click on the Buy now online button.

2) Download F-Secure's BlackLight from here and save it to your Desktop.

3) You will need to know how to boot into Safe Mode.
Instructions can be found here.

4) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: (no name) - <default> - (no file)

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll (file missing)

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [ezkrpbpx] c:\windows\system32\ezkrpbpx.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\4.bin\mwsoemon.exe

O8 - Extra context menu item: &Search - http://edits.mywebse...?p=ZCxdm235XXUS

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Boot into Safe Mode.

3) Run Ewido.
Click on Scanner.
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK.
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido Anti-Malware.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

4) Remove any/all of the following files/folders that you can find:

Files

C:\WINDOWS\dinst.exe
c:\windows\system32\ezkrpbpx.exe

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'

Folders

C:\Program Files\Accoona
C:\PROGRA~1\MyWay

As an example:
To delete C:\WINDOWS\system32\foldertogo
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on foldertogo and from the menu that appears, click on 'Delete'

5) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

6) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

7) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

8) Boot into Normal Mode.

9) Locate and double click blbeta.exe to run it.

Click the Scan button to begin. When it has completed, click the Close button.
A text file, fsbl-date/time, will be saved to your Desktop, copy and paste this into your next post

Post a new HJT log, the Ewido log AND a description of how your PC is running.

-----------------------------------------------------------------------------------------------------------------------------

We'll get to Add/Remove Programs a little later once the PC's cleaner.

#6 FunkyMunkey

  • Group: Member
  • Posts: 15
  • Joined: 28-May 06

Posted 28 May 2006 - 05:32 PM

I will be back from work in about 4 hours and I'll complete those steps and post back in this topic. Thank you so much for the help so far! Be right back :whistling: .

#7 FunkyMunkey

  • Group: Member
  • Posts: 15
  • Joined: 28-May 06

Posted 28 May 2006 - 10:41 PM

Beginning tasks now.

#8 FunkyMunkey

  • Group: Member
  • Posts: 15
  • Joined: 28-May 06

Posted 29 May 2006 - 01:43 AM

fsbl log:

05/29/06 00:08:17 [Info]: BlackLight Engine 1.0.36 initialized
05/29/06 00:08:17 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/29/06 00:08:18 [Note]: 7019 4
05/29/06 00:08:18 [Note]: 7005 0
05/29/06 00:08:23 [Note]: 7006 0
05/29/06 00:08:23 [Note]: 7011 1284
05/29/06 00:08:23 [Note]: 7026 0
05/29/06 00:08:23 [Note]: 7026 0
05/29/06 00:09:03 [Note]: FSRAW library version 1.7.1015
05/29/06 00:30:30 [Note]: 7007 0


HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:40:26 AM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Documents and Settings\Julie Martin\My Documents\Desktop\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\AVerTV\QuickTV.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O1 - Hosts: 64.12.152.18 search.netscape.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [EPSON Stylus C64 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2C1.EXE /P23 "EPSON Stylus C64 Series" /O6 "USB001" /M "Stylus C64"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: QuickTV.lnk = C:\Program Files\AVerTV\QuickTV.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Julie Martin\My Documents\Desktop\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Ewidow log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:20:42 PM, 5/28/2006
+ Report-Checksum: CCE20D03

+ Scan result:

HKLM\SOFTWARE\180solutions -> Adware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKU\S-1-5-21-3615762775-1256799619-874574627-1006\Software\Microsoft\Internet Explorer\URLSearchHooks\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup
HKU\S-1-5-21-3615762775-1256799619-874574627-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup
C:\Program Files\MyWay\bar\4.bin\F3HTTPCT.DLL -> Downloader.IstBar : Cleaned with backup
C:\WINDOWS\enhtb.exe -> Trojan.Imiserv.c : Cleaned with backup


::Report End

(END)

I'm sorry it took a while. My computer is running at the same, slow speed. I think it might be all the things that open at the start, that make the boot-up take forever. I don't know? Thank you very much for the help so far and I will wait for further steps!

Thanks again! :whistling:

#9 FunkyMunkey

  • Group: Member
  • Posts: 15
  • Joined: 28-May 06

Posted 29 May 2006 - 12:29 PM

I forgot to tell you that I couldn't find most of these files & folders that you had me delete while in safe mode:

C:\WINDOWS\dinst.exe
c:\windows\system32\ezkrpbpx.exe

C:\Program Files\Accoona
C:\PROGRA~1\MyWay


For C:\WINDOWS\dinst.exe:

I couldn't find it, so I checked the "show hidden files and folders" box in tools/folderoptions/view. It still wasn't there. I searched for it in "my computer" and still nothing.

For c:\windows\system32\ezkrpbpx.exe:

I can't even find the 'system 32' folder in C:\WINDOWS. At all. I even searched for 'system32' and 'system 32' in my computer. I also searched for 'ezkrpbpx' and nothing. But, when I was searching and when I scan for viruses, I can see it scanning a 'c:\windows\system32' folder, yet I cant acess it. I had the "show hidden files and folders" box still checked, too.

For C:\Program Files\Accoona:

There's no 'accoona' folder in my program files. I searched for it in 'my computer' and no results.

For C:\PROGRA~1\MyWay:

I don't even have a 'PROGRA~1' folder in my C drive. I searched and it found a "My Way" folder in my 'C:\program files' so I deleted it . It seems like the 'PROGRA~1' folder is just like my system 32 folder, where I can see it searching and scanning through it, but I can't find it. :whistling:

(NOTE: I had the "show hidden files and folders" option in tools\folderoptions\view checked for all of these.)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

It was late so I'm sorry I fogot to put this, if it is important. My computer's performance is still slow, as well. I will wait for more instructions. I really appreciate the help so far. Seriously :blink: :help: :)

#10 Noviciate

  • Group: Malware Removal
  • Posts: 1,563
  • Joined: 24-April 06

Posted 29 May 2006 - 01:02 PM

You do have a goodly collection of stuff running at startup which may be an issue.
The following steps will serve as a spring clean for your PC. Not all of them will be of benefit to your PC as this is a general post, but the overall effect should be positive.

1) Go to Start > Control Panel > Add/Remove Programs and remove any programs that you no longer use and then reboot your PC.

2) Download ATF Cleaner by Atribune from here and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
    Windows Temp
    Current User Temp
    All Users Temp
    Temporary Internet Files
    *Prefetch
    Java Cache

The rest are optional - if you want to remove the lot, check "Select All".
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please Note: This program is for Windows XP and Windows 2000 only.

* The purpose of Prefetch is to increase the speed at which you can access the programs that you use on your PC. Unfortunately, Windows doesn't differentiate between a program you use every day and one you use every blue moon, which means that it may be prefetching a lot of stuff that you rarely use, adding to your startup time.
You may find the first time you boot up after cleaning out this folder, that your PC takes longer to get into gear - the second, and subsequent, boots should be quicker.

3) Double click My Computer.
Right click the disc drive you wish to check.
Click Properties.
In the Properties dialog box, click the Tools Tab.
Under Error-checking, click the Check Now button.
In the "Check Disc Local Disk (C:)" dialog box, check both Automatically fix file system errors and Scan for and attempt recovery of bad sectors, and then click Start.

This will look for and attempt to repair any errors that your hard drive has.

4) Go to Start > Run, enter sfc /scannow ( note the space between the "c" and "/" ) and click on OK.

This will look for and attempt to replace any corrupt system files that can be found. There are backups of some of these files on your PC and Windows will check for a copy here first. If you are prompted to insert your Windows XP disc, do so. If you don't have this disc and are asked for it, you will have to cancel at this point.

For details on the System File Checker, click here.

5) Defragment your hard drive. A tutorial for disc defragmentation is available here.

6) Download and run StartUp Inspector.
This program will help you to decide exactly what programs you disable from running at startup.
The Readme.txt file included has instructions on how to use it.

-----------------------------------------------------------------------------------------------------------------------------

When you worked your way through the above, do the following:

Run the following scan: Kaspersky Online Scanner.
When you see "Please select a target to scan", click on "My Computer".
When the scan has completed and the results are displayed, click on the Save as text button and save the report with an appropriate name to your Desktop.
Copy and paste this report into your next reply along with a new HJT log AND a description of how your PC is running.

** Please note **
a) I.E. is required to run this scan.
b) You will need to remain online for the duration of the scan.

-----------------------------------------------------------------------------------------------------------------------------

Don't worry about the missing files, it just means that something cleaned them up before you got there.
I'm working on the system32 folder issue and i'll get back to you when i've got an answer.

#11 FunkyMunkey

  • Group: Member
  • Posts: 15
  • Joined: 28-May 06

Posted 29 May 2006 - 09:53 PM

I completed all the instructions. The start-up Inpsector helped a tiny bit and I unchecked a lot of stuff, but I believe the main thing causing my comp to take forever to boot is Norton Anti-Virus. This quickscan at autoboot is what takes forever. I researched it and cannot find a way to make it so it DOESN'T do a quickscan at boot. Apparently, it runs through a 'DoScan.exe' file. I looked through all the options and troubleshootings and faqs in norton on how to uncheck this option and nothing. Not even anything on google. I think if I can get it to stop scanning at boot-up, it will go MUCH MUCH MUCH faster.

Overall, my comp seems to running maybe 10% faster. Kaspersky still found a bunch of stuff.

Kaspersky report:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, May 29, 2006 8:48:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 30/05/2006
Kaspersky Anti-Virus database records: 185270
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52270
Number of viruses found: 17
Number of infected objects: 41
Number of suspicious objects: 2
Duration of the scan process: 01:19:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\04B874C7.exe Infected: Trojan-Downloader.Win32.Intexp.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0A543F17.exe Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AB62AAB.dll Infected: Trojan-Downloader.Win32.Keenval.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0AB954A7.exe Infected: Trojan-Downloader.Win32.Intexp.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0ADA7883.exe Infected: Trojan-Downloader.Win32.Stubby.c skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B221434.tmp/ Infected: Trojan-Downloader.Win32.Agent.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B221434.tmp MS Expand: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B221434.tmp Cexe: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B221434.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B35101F.exe Infected: Trojan-Downloader.Win32.Dyfuca.cy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B3C6418.exe Infected: Trojan-Downloader.Win32.Dyfuca.da skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B3F0E14.exe Infected: Trojan-Downloader.Win32.Agent.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B46620D.tmp Infected: Trojan-Downloader.Win32.Intexp.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B490C09.tmp Infected: Trojan-Downloader.Win32.Keenval.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B5D07F4.tmp Infected: Trojan-Clicker.Win32.Delf.r skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B635BEC.tmp/ Infected: Trojan-Downloader.Win32.Agent.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B635BEC.tmp MS Expand: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B635BEC.tmp Cexe: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B635BEC.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B6D59E2.tmp/data0002 Infected: Trojan-Downloader.Win32.Keenval.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B6D59E2.tmp/data0003 Infected: Trojan-Downloader.Win32.Keenval.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B6D59E2.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B6D59E2.tmp CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B9127BA.tmp/data0002 Infected: Trojan-Downloader.Win32.Keenval.k skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B9127BA.tmp/data0003 Infected: Trojan-Downloader.Win32.Keenval.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B9127BA.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0B9127BA.tmp CryptFF: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0BAB779D.exe Infected: Trojan-Dropper.Win32.Delf.z skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\0EA970C4.exe Infected: Trojan.Win32.Agent.ay skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1A4014A6.tmp Infected: Trojan-Downloader.Win32.Dyfuca.da skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\54B472D3.htm Infected: Trojan-Downloader.JS.Small.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60552BE0.dll Infected: Trojan-Downloader.Win32.Dyfuca.ew skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E5E3DDC.tmp Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E683BD1.exe Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E683BD1.tmp Infected: Worm.Win32.VB.an skipped
C:\Documents and Settings\Julie Martin\Local Settings\Application Data\Microsoft\MSN\db\windwizard777-msn-com.459/[From ealif <ealif@xesre.r>][Date Wed, 25 Jun 2003 14:10:17 -0500]/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Julie Martin\Local Settings\Application Data\Microsoft\MSN\db\windwizard777-msn-com.459 Mail: suspicious - 1 skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179727.exe/SETUP_POWERSEARCH.EXE/data0007 Infected: Trojan-Downloader.Win32.Keenval.n skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179727.exe/SETUP_POWERSEARCH.EXE Infected: Trojan-Downloader.Win32.Keenval.n skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179727.exe ZIP: infected - 2 skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179729.exe/SETUP_POWERSEARCH.EXE/data0007 Infected: Trojan-Downloader.Win32.Keenval.n skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179729.exe/SETUP_POWERSEARCH.EXE Infected: Trojan-Downloader.Win32.Keenval.n skipped
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1646\A0179729.exe ZIP: infected - 2 skipped

Scan process completed.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 8:52:45 PM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Documents and Settings\Julie Martin\My Documents\Desktop\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O1 - Hosts: 64.12.152.18 search.netscape.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Julie Martin\My Documents\Desktop\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Thank you so far! *waits* :whistling:

#12 Noviciate

  • Group: Malware Removal
  • Posts: 1,563
  • Joined: 24-April 06

Posted 30 May 2006 - 02:40 PM

1) C:\PROGRA~1 and C:\Program Files are the same folder. The "~1" is shorthand for "m Files".

2) To make the c:\windows\system32 folder visable, try the following:
Go to Start > Run, copy and paste attrib -h -s c:\windows\system32 into the text box and hit OK.
Let me know if this works.

3) Most of the Kaspersky finds are held in Norton's Quarantine so they are out of harm's way.
The C:\System Volume Information files are actually System Restore points and will only affect your PC if you run System Restore and choose one of the infected Restore Points.
Once we tidy up the loose ends, you can flush System Restore and they will be dealt with.

This file: C:\Documents and Settings\Julie Martin\Local Settings\Application Data\Microsoft\MSN\db\windwizard777-msn-com.459 can be manually deleted.

4) To stop Norton scanning at startup, try the following (Your version may be a little different to this but i'm sure you'll get there):
  • Open Norton Anti-Virus.
  • Click Scan for Viruses.
  • Click Scan my computer.
  • Click the icon under Task Schedule.
  • You should see the Schedule Task option which you can change to suit your needs.
Let me know how you get on with this as well.

#13 FunkyMunkey

  • Group: Member
  • Posts: 15
  • Joined: 28-May 06

Posted 30 May 2006 - 05:25 PM

1.) Got it :blink: .

2.) That worked! I don't see the 'ezkrpbpx,exe' file in the system 32 folder though.

3.) Alright. Found file and it was deleted.

4.) There's no option. I'm almost positive I have Norton Anti-Virus 10.0.0, and I've looked and it says the option isn't availible for that version, only 10.0.1. I don't know how to upgrade (since it was purchased), so I don't know how to do it. This link explains:

http://service1.symantec.com/SUPPORT/ent-s...m=1&om_out=prod

It says I can import some registry files I think, but I don't know how to do that, or where to put them. :whistling: Is that what I should do?

Also, two processes that I cancel using Start-up Inspector, keep coming back and checking themselves automatically.

-The ccApp file (which I've read is the auto-scan thing by Norton) is one. Located C:\Program Files\Common Files\Symantec Shared\ccApp.exe. Usage is 1.3MB at start-up. Peak mem usage is 30.2 MB!

-The other is NvCplDaemon. Located at C:\WINDOWS\System32\NvCpl.dll. 'Params' are 'NvStartup'.

I don't know what to do but I really want that Norton scan thing (doscan.exe or ccApp or whatever) to quit owning my memory at start-up. It seriously almost freezes my comp during boot-up. I don't know what the other one (NvCplDaemon) is. Start-up Inspector says neither are required...

Thank you Noviciate!

#14 FunkyMunkey

  • Group: Member
  • Posts: 15
  • Joined: 28-May 06

Posted 30 May 2006 - 05:36 PM

(please read previous post too!)

It seems 'ccApp.exe' belongs to Norton Anti-Virus and runs Auto-Protect and email checking facitlities. Auto-protect is alright, but the quickscan at start-up isn't.

Here:

http://www.neuber.co.../ccapp.exe.html

A lot of complaints there about very large memory usage and slow start-ups and shut-downs, just like me. I really would like to disable this.

I think until I import those .reg files (in previous post), doscan.exe is part-of ccApp.exe. At least in my NAV version 10.0.0.

I'll keep trying to do disable it, but I know you have other stuff for me to do. This is kinda a last priority. I want to make sure my comp is clean and fast before this. Just saying this info might shine a little light on the slow start-up and shutdown issue :whistling: .

Thank you. I really appreciate your help so far!

#15 Noviciate

  • Group: Malware Removal
  • Posts: 1,563
  • Joined: 24-April 06

Posted 31 May 2006 - 02:03 PM

In no particular order:

1) The missing file just means that one of your scans beat you to it.

2) I'd leave Norton's Auto-Protect alone as well.
Unfortunately Norton has something of a reputation for being a resource hog but if it's keeping your PC clean, maybe worth it.

3) The Norton info. was a good find! :whistling:
I don't have any experience of this particular fix but a registry import is easily done.

a) Download RemoveStartScan.reg from here and save it to your Desktop.
* If you use Firefox, right click the link and select Save Link As...

b) Before we continue, you will need to make a back-up of the registry. This is standard procedure before carrying out any alterations to it.
Go to Start > Run, enter "regedit" (without the quotes) and click on OK.
Highlight My Computer by clicking on it and then go to File > Export...
Give the file an appropriate name, registry backup perhaps, leave the "Save As Type:" as it is and save it somewhere safe.
The Desktop is NOT a good idea as it's too close to the Recycle Bin for comfort!
This may take a moment or two so don't worry.

Should you have any unexpected problems after this fix, double click the registry backup.reg file and click on Yes in the confirmation window and all should be back how it was.

c) Make sure that Norton isn't in the middle of a scan (apparently important!) and then double click RemoveStartScan.reg and click Yes in the confirmation window.

That's the registry file imported.

Reboot your PC and check that Norton isn't running the startup scan and that otherwise it appears to be healthy. There shouldn't be any problems, but you really don't want to be reinstalling Norton at a later date so do make sure it's OK.

The registry backup will reset your registry to the point at which you created it so although it will undo the changes the import makes, the longer you leave it to reverse this action, the more things that could be undone by this step so don't leave it too long if you think there's a problem!

4) You can disable NvCplDaemon via msconfig and re-enable it again if there is a problem with it not running.
I would prefer to leave this step until you have got the Norton issue sorted so that any issues can be put down to the regfix and not anything else.

So to recap, run the regfix, reboot your PC a couple of times to make sure that all is well and maybe run a scan or two to be sure and then get back to me and we'll tidy this one up and you can be on your way.
Have fun! :blink:

Share this topic:


  • 2 Pages +
  • 1
  • 2