Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Under severe attack [Resolved]


  • This topic is locked This topic is locked

#16
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts

I wnet looking while in safe mode and see a whole host of these things zipped up and still on the machine. So the question is Do I ZAP them?

Are they all sitting in the same folder ? If so what is the name of it ?

Please disable your current AV
Click Here and run RAV online scan, Copy and paste back the log into this thread when it has finished,
Be sure and enable your AV when done with the above


If for some reason RAV doesn't run do another scan with Active please,

Please get back to me, and Thanks for sticking by me for this

You bet!

By the way are you in NY?
  • 0

Advertisements


#17
billyd

billyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Good Morning Don from Beantown,
Well yes I was born in NY many moons ago. The thing about those zip files. As an example. I find them when I go to search and type in "AvenueAInc" I will get back a group of lets say 100 zipped files. I ran search a few times and see they are probably in Spybot S&D. I went over there but do not see how you can empty Spybot. I also went back to AVG, could not find way to disable with out going to ADD/Remove, so I emptied the virus vault. With Ad-Aware it is easy to delete files from scans at least on the face of it. Then I ran Panda. Here is the log
Incident Status Location

Adware:Adware/nCase No disinfected C:\WINDOWS\msbb*
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/WildTangent No disinfected Windows Registry
Adware:Adware/SearchWWW No disinfected C:\WINDOWS\pss\Search.vbsCommon Startup
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\i
These remaining items Must be in Spybot ( I think) Well anyways Please let me know what you think.
Go Yankees? And Gracias Amigo :tazz:
Billyd
  • 0

#18
billyd

billyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi Don, ;)
I have not heard back from you? I am wondering what I need to do next? Any advise would be great.
Billyd :tazz:
  • 0

#19
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry Billy, I skipped right over your reply yesterday :tazz:
Anywho,

Download Pocket Killbox from. Here Paste the full file path (C:\WINDOWS\smdat32m.sys) in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" and
Do the same for
C:\WINDOWS\pss\Search.vbs
C:\WINDOWS\msbb*

The * means there is some random numbers associated with this file,
Let us know how you make out


I would like for you to try a different online scan
Please disable your current AV
Click Here and run RAV online scan, Copy and paste back the log into this thread when it has finished,
Be sure and enable your AV when done with the above
  • 0

#20
billyd

billyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
HI Don,

Well not to side track, but I need the how to on disabling AVG. virus so I can deactivate it. A by the way, I somehow got SIDESWIPPED this evening. I noticed a little glich. Like AIM popped open on my sdie of the computer. This is a program my daughter runs and not me. So I checked taskmanager and ther it was. I went to spybot disabled AIM in startup. Ran the usual scans AD-Aware, cwshreder, did HJT and saw a little viper on 23 taskmnger.exe( I checked last log and it was not there) I checked fix rebooted in safe and check and deleted file. But it is still there with the commnet file missing. I'am attaching log from Panda and new HJT log. While I get to work on the tasks at hand. Get back to me on the way to deactivate AVG. So I can try the other virus scan.
Thanks for your help. And I thought this dumb box was as clean as a hounds tooth?
Logfile of HijackThis v1.99.1
Scan saved at 9:29:15 PM, on 4/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Billy.CAMILA\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BB6D365-F41F-4271-83CF-2ABB9A0DA294}: NameServer = 204.255.24.254 204.255.24.251
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

Incident Status Location

Adware:Adware/nCase No disinfected C:\WINDOWS\msbb*
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/WildTangent No disinfected Windows Registry
Adware:Adware/Minibug No disinfected C:\Program Files\AIM\Sysfiles\WxBug.EXE NEW
Adware:Adware/SearchWWW No disinfected C:\WINDOWS\pss\Search.vbsCommon Startup
Virus:Trj/Zapchast.S Disinfected C:\WINDOWS\system32\haxdrv.sys NEW
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32
\i
On the road to find out!
billyd :tazz:
  • 0

#21
billyd

billyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi Don,
I pulled down Killbox and had success with smdat32.sys. The other two had a different wrinkle. I got message "Pending file rename operation Registry data has been removed by external process!" The WRATHE OF KAN?
GOD and you might know what the external process is but I am without a clue?
Let me review what I've got on the machine now so we know the tools I have on the machine.
1. AVG. Free
2. Spybot S&D
3. Ad-Aware
4. CWshredder
5. CCleaner
6. Spywareblaster
7. Panda
8. BHODeamon
9. Killbox
10. ME and YOU :tazz:
Billyd
  • 0

#22
billyd

billyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
I left off the list the flushing sound of #11 cleanup
Billyd :tazz:
  • 0

#23
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Just go ahead and run RAV,
But First
Please open HJT> Click on the Config button> Click >Misc. Tools > Click > Open Process manager> Highlight “taskbarmngr.exe “ >Click> Kill process>
Next click the scan button and put a check mark next to the following, close all open windows , Click “ Fix Checked”

O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)


Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files View Hidden Folders search for and delete the following in BOLD

C:\WINDOWS\taskbarmngr.exe

Restart your computer,

Now run the RAV scan, Post back what it finds

Restart HJT and post back a fresh log
  • 0

#24
billyd

billyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi Don, Good MORNING :)
I got started this morning. 1. went to HJT to kill taskbarmngr. but it is not running. Went back to safe mode anyway, did search all files found 0. I did download and run RAV. I am attaching both RAV,HJT, from this morning. BTW I have tried to find the pss and msbb* VIPERS to no avail? I see RAV has 2 items. AVG ran autoscan this morning and found NO VIRUSES? HJT still has the #23 last item there. It does not want to be fixed from HJT, I tried a couple of times with no success! ;)
Maybe we can get this box in shape in time for Baseball season opener?
Thanks and I look foward to your comments.
Billyd ;)
Scan started at 4/2/2005 8:16:23 AM

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\Configureatee.exe - Backdoor:Win32/Rbot.CF -> Infected
C:\WINDOWS\pss\Search.vbsCommon Startup - VBS/Krepper.A* -> Infected

Scanned
============================
Objects: 68081
Directories: 5129
Archives: 19658
Size(Kb): 79914
Infected files: 2

Found
============================
Viruses found: 2
Suspicious files: 0
Disinfected files: 0
Mail files: 470
Logfile of HijackThis v1.99.1
Scan saved at 9:50:06 AM, on 4/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Billy.CAMILA\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BB6D365-F41F-4271-83CF-2ABB9A0DA294}: NameServer = 204.255.24.254 204.255.24.251
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)

:tazz:
  • 0

#25
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Billy,

Download and run Service Filter:[list]
[list]
[*]Please download ServiceFilter.
[*]Unzip ServiceFilter.zip to a convenient folder like C:\ServiceFilter.
[*]Navigate to where you unzipped it and double-click on ServiceFilter.vbs.
[*]If you have an active anti-virus it might prevent the script from starting. Please allow the script to run.
[*]It will open a text file (POST_THIS.TXT) that lists all of the irregular services.
[*]Press Ctrl + A simultaneously to select all of the text.
[*]Copy and paste the whole thing into your next post.
[*]A copy of POST_THIS.TXT is saved to where ServiceFilter.vbs was saved just in case you accidentally close out of it.
  • 0

Advertisements


#26
billyd

billyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi Don,
Well that was easy I see there are 2 besides taskbarmngr. I wait for your next step.
Thank you,
Billyd :tazz:
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Apr 2, 2005 9:24:26 PM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: omniserv
Display Name: Softex OmniPass Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\softex\omnipass\omniserv.exe
State: Running
Process ID: 1212
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{dbc49d1f-ce2a-4f95-823a-14394866c90f}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

Unknown Service # 3
Service Name: wtaskbarmngr
Display Name: Windows Taskbar Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Moniters Windows Services And ...
Service Type: Own Process
Path: "c:\windows\taskbarmngr.exe"
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 81 Win32 services on this machine.
3 were unrecognized.

Script Execution Time: 1 seconds.
  • 0

#27
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
  • Open HijackThis.
  • Click the Config button.
  • Click the Misc Tools button.
  • Select Delete an NT service.
  • Copy and paste the following into the box:
    [taskbarmngr.exe]
  • Click Ok.
Reboot post back a fresh log please
  • 0

#28
billyd

billyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Hi Don,
Tried but not go! message not fond in registry, make sure you typed in correct short name. I pasted right from your post! :tazz:
Billy
  • 0

#29
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
This can be a bugger!

Prepare cwsserviceremove.reg for use:Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.

Remove the offending service's registry keys:
  • Double-click the cwsserviceremove.reg file you downloaded at the beginning.
  • Answer Yes when prompted to add the contents to the registry.
Then, reboot (in the normal mode) and post a new HJT log in this thread.
  • 0

#30
billyd

billyd

    Member

  • Topic Starter
  • Member
  • PipPip
  • 63 posts
Donny, its the viper from h***!! The new HJT log, still has the VIPER
Logfile of HijackThis v1.99.1
Scan saved at 10:32:27 PM, on 4/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\igfxtray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Documents and Settings\Billy.CAMILA\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nytimes.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "c:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Windows Taskbar Manager (wtaskbarmngr) - Unknown owner - C:\WINDOWS\taskbarmngr.exe (file missing)
Your from Boston? Thats why you have the patience of a saint. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP