Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Multiple problems, malware/trojans/virus Oh my!

Started by pwt5 , Oct 14 2006 08:04 AM

  • This topic is locked This topic is locked

#16
pwt5
Posted 02 November 2006 - 08:20 PM

pwt5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
remaining report . . . .

C:\WINNT\SYSTEM32\DESK.CPL - (Microsoft Corporation [Ver = 5.00.2195.6601 | Size = 237328 bytes | Date = 06/19/2003 13:05 | Attr = ])
C:\WINNT\SYSTEM32\fax.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 31504 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\hdwwiz.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 128272 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2600.0000 | Size = 294912 bytes | Date = 08/17/2001 22:43 | Attr = ])
C:\WINNT\SYSTEM32\intl.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 118032 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\irprops.cpl - (Microsoft Corporation [Ver = 5.00.2167.1 | Size = 36112 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\joy.cpl - (Microsoft Corporation [Ver = 5.1.2258.400 built by: Lab06_N(mmbuild) | Size = 327680 bytes | Date = 11/07/2000 15:16 | Attr = ])
C:\WINNT\SYSTEM32\jpicpl32.cpl - (Sun Microsystems, Inc. [Ver = 5.0.60.5 | Size = 49265 bytes | Date = 11/10/2005 12:03 | Attr = ])
C:\WINNT\SYSTEM32\main.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 122128 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\mmsys.cpl - (Microsoft Corporation [Ver = 5.00.2161.1 | Size = 303888 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\ncpa.cpl - (Microsoft Corporation [Ver = 5.00.2176.1 | Size = 17168 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\nwc.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 41232 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\odbccp32.cpl - (Microsoft Corporation [Ver = 3.520.6200.0 | Size = 41232 bytes | Date = 06/19/2003 13:05 | Attr = ])
C:\WINNT\SYSTEM32\powercfg.cpl - (Microsoft Corporation [Ver = 5.00.3502.6601 | Size = 90896 bytes | Date = 06/19/2003 13:05 | Attr = ])
C:\WINNT\SYSTEM32\prefscpl.cpl - (RealNetworks, Inc. [Ver = 6.0.9.573 | Size = 24576 bytes | Date = 11/25/2004 18:28 | Attr = ])
C:\WINNT\SYSTEM32\QuickTime.cpl - (Apple Computer, Inc. [Ver = 6.5 | Size = 323072 bytes | Date = 01/06/2004 16:02 | Attr = ])
C:\WINNT\SYSTEM32\sticpl.cpl - (Microsoft Corporation [Ver = 5.00.2195.6656 | Size = 83216 bytes | Date = 06/19/2003 13:05 | Attr = ])
C:\WINNT\SYSTEM32\SYSDM.CPL - (Microsoft Corporation [Ver = 5.00.2195.6601 | Size = 125712 bytes | Date = 06/19/2003 13:05 | Attr = ])
C:\WINNT\SYSTEM32\telephon.cpl - (Microsoft Corporation [Ver = 5.00.2143.1 | Size = 5904 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\timedate.cpl - (Microsoft Corporation [Ver = 5.00.2137.1 | Size = 61200 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 03:16 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl - (Microsoft Corporation [Ver = 6.00.2600.0000 | Size = 294912 bytes | Date = 08/17/2001 22:43 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\msmq.cpl - (Microsoft Corporation [Ver = 5.00.0748 | Size = 64784 bytes | Date = 01/12/2005 13:40 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl - (IBM Corporation [Ver = 2.60.35.0 | Size = 94208 bytes | Date = 09/23/1999 18:44 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\nwc.cpl - (Microsoft Corporation [Ver = 5.00.2134.1 | Size = 41232 bytes | Date = 05/08/2001 06:00 | Attr = ])
C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl - (Microsoft Corporation [Ver = 5.8.0.2469 built by: lab01_n(wmbla) | Size = 174360 bytes | Date = 05/26/2005 03:16 | Attr = ])

Auto-Start Folders

HKLM->Explorer\Shell Folders\\Common Startup = C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc. [Ver = 1, 0, 0, 1 | Size = 113664 bytes | Date = 11/04/1999 14:06 | Attr = ])
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\EPSON CardMonitor.lnk - C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe (SEIKO EPSON CORPORATION [Ver = 1.1.0.8 | Size = 258048 bytes | Date = 07/25/2003 01:00 | Attr = ])
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation [Ver = 10.0.2609 | Size = 83360 bytes | Date = 02/13/2001 01:01 | Attr = ])

HKLM->Explorer\User Shell Folders\\Common Startup = %ALLUSERSPROFILE%\Start Menu\Programs\Startup

HKLM->Explorer\Shell Folders\\Startup = C:\Documents and Settings\Lawrence Luecke\Start Menu\Programs\Startup

HKCU->Explorer\User Shell Folders\\Startup = %USERPROFILE%\Start Menu\Programs\Startup

Miscellaneous Auto-Start Files
System.ini->[Boot]\\Shell - explorer.exe
Wininit.ini: Line 1 - [RENAME]
Wininit.ini: Line 2 - NUL=C:\DOCUME~1\LAWREN~1\LOCALS~1\Temp\nstmp\uninstall.exe
Wininit.ini: Line 3 - NUL=C:\DOCUME~1\LAWREN~1\LOCALS~1\Temp\nstmp\uninstall.ini
Wininit.ini: Line 4 - NUL=C:\DOCUME~1\LAWREN~1\LOCALS~1\Temp\nstmp
Config.nt: Line 54 - dos=high, umb
Config.nt: Line 55 - device=%SystemRoot%\system32\himem.sys
Config.nt: Line 56 - files=40
AutoExec.nt: Line 1 - @echo off
AutoExec.nt: Line 8 - lh %SystemRoot%\system32\mscdexnt.exe
AutoExec.nt: Line 11 - lh %SystemRoot%\system32\redir
AutoExec.nt: Line 14 - lh %SystemRoot%\system32\dosx

Miscellaneous Folders

AllUsers ApplicationData Folder

CurrentUser ApplicationData Folder

Program Files Folder
C:\Program Files\desktop.ini - ( [Ver = | Size = 271 bytes | Date = 01/27/2003 13:13 | Attr = H ])
C:\Program Files\folder.htt - ( [Ver = | Size = 21952 bytes | Date = 01/27/2003 13:13 | Attr = H ])

Common Files Folder
C:\Program Files\Common Files\tppupd2k.dll - (In-System Design, Inc. [Ver = 5.04.1150.0 | Size = 21866 bytes | Date = 10/05/2001 12:53 | Attr = ])

DPF files
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - CKAVWebScan Object - CodeBase = http://www.kaspersky...can_unicode.cab
{215B8138-A3CF-44C5-803F-8226143CFC0A} - Trend Micro ActiveX Scan Agent 6.5 - CodeBase = http://housecall65.t...ivex/hcImpl.cab
{33564D57-0000-0010-8000-00AA00389B71} - - CodeBase = http://download.micr...922/wmv9VCM.CAB
{6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - MUWebControl Class - CodeBase = http://update.micros...b?1143225708926
{8AD9C840-044E-11D1-B3E9-00805F499D93} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - ActiveScan Installer Class - CodeBase = http://acs.pandasoft...free/asinst.cab
{9F1C11AA-197B-4942-BA54-47A8489BB47F} - - CodeBase = http://v4.windowsupd...AB?37850.515625
{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - Java Plug-in 1.5.0_06 - CodeBase = http://java.sun.com/...indows-i586.cab
{D27CDB6E-AE6D-11CF-96B8-444553540000} - Shockwave Flash Object - CodeBase = http://fpdownload.ma...ash/swflash.cab
{F00F4763-7355-4725-82F7-0DA94A256D46} - IMDownloader Class - CodeBase = http://www2.incredim...er/imloader.cab
DirectAnimation Java Classes - - CodeBase = file://C:\WINNT\Java\classes\dajava.cab
Microsoft XML Parser for Java - - CodeBase = file://C:\WINNT\Java\classes\xmldso.cab

Hosts file = 0 bytes. Reading all entries. C:\WINNT\System32\drivers\etc\Hosts

< Add On's >

>>>>Output for AddOn file HKCU_IEDesktop.def<<<<

KEY - HKCU\Software\Microsoft\Internet Explorer\Desktop - Include SUBKEYS
HKCU\Software\Microsoft\Internet Explorer\Desktop -
Desktop\Components -
Desktop\Components\\DeskHtmlVersion - 272
Desktop\Components\\DeskHtmlMinorVersion - 3
Desktop\Components\\Settings - 1
Desktop\Components\\GeneralFlags - 1
Desktop\Components\0 -
Desktop\Components\0\\Source - About:Home
Desktop\Components\0\\SubscribedURL - About:Home
Desktop\Components\0\\FriendlyName - My Current Home Page
Desktop\Components\0\\Flags - 2
Desktop\Components\0\\Position - 2C 00 00 00 A0 00 00 00 00 00 00 00 80 02 00 00 3C 02 00 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
Desktop\Components\0\\CurrentState - 1073741828
Desktop\Components\0\\OriginalStateInfo - 18 00 00 00 FF FF 00 00 FF FF 00 00 FF FF FF FF FF FF FF FF 04 00 00 00
Desktop\Components\0\\RestoredStateInfo - 18 00 00 00 10 03 00 00 1F 00 00 00 E0 00 00 00 D6 00 00 00 01 00 00 00
Desktop\General -
Desktop\General\\WallpaperFileTime - 00 00 00 00 00 00 00 00
Desktop\General\\WallpaperLocalFileTime - 00 90 65 B5 CD FF FF FF
Desktop\General\\ComponentsPositioned - 1
Desktop\General\\TileWallpaper - 0
Desktop\General\\WallpaperStyle - 2
Desktop\General\\Wallpaper -
Desktop\General\\BackupWallpaper -
Desktop\Old WorkAreas -
Desktop\Old WorkAreas\\NoOfOldWorkAreas - 1
Desktop\Old WorkAreas\\OldWorkAreaRects - 00 00 00 00 00 00 00 00 00 04 00 00 E4 02 00 00
Desktop\SafeMode -
Desktop\SafeMode\Components -
Desktop\SafeMode\Components\\DeskHtmlVersion - 272
Desktop\SafeMode\Components\\DeskHtmlMinorVersion - 3
Desktop\SafeMode\Components\\Settings - 1
Desktop\SafeMode\Components\\GeneralFlags - 0
Desktop\SafeMode\General -
Desktop\SafeMode\General\\Wallpaper - %SystemRoot%\Web\SafeMode.htt
Desktop\SafeMode\General\\VisitGallery - 0
Desktop\Scheme -
Desktop\Scheme\\Edit -
Desktop\Scheme\\Display - SafeMode

>>>>Output for AddOn file Policies.def<<<<

KEY - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\ActiveDesktop -
policies\ActiveDesktop\AdminComponent -
policies\explorer -
policies\explorer\run -
policies\NonEnum -
policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} - 1
policies\Ratings -
policies\system -
policies\system\\dontdisplaylastusername - 0
policies\system\\legalnoticecaption -
policies\system\\legalnoticetext -
policies\system\\shutdownwithoutlogon - 1

KEY - HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer - Include SUBKEYS
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer not found. -

KEY - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies - Include SUBKEYS
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies -
policies\Associations -
policies\Explorer -
policies\Explorer\\NoDriveTypeAutoRun - 149
policies\Explorer\Run -
policies\System -
policies\System\\DisableRegistryTools - 0

KEY - HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer - Include SUBKEYS
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer -
Internet Explorer\Control Panel -
Internet Explorer\Control Panel\\Connwiz Admin Lock - 0

>>>>Output for AddOn file SID_Run_Policies.def<<<<

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run -
Run\\Ms Update WinServices NT/XP - winservnt32.exe
Run\\Ms Java for Windows NT - mguard.exe
Run\\ziiw - C:\PROGRA~1\COMMON~1\ziiw\ziiwm.exe
Run\\xqnyq - C:\WINNT\system32\cddgpq.exe reg_run

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run - No SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run not found. -

KEY - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies -
Policies\Explorer -
Policies\Explorer\\NoDriveTypeAutoRun - 149

KEY - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies - Include SUBKEYS
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies not found. -

< End of report >
  • 0

Advertisements

#17
Octagonal
Posted 03 November 2006 - 06:04 AM

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi pwt5

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINNT\system32\setup_73522.exe
%WINDIR%\SYSTEM32\winservnt32.exe
%FAVORITES%\SYSTEM32\mguard.exe
C:\WINNT\system32\cddgpq.exe
C:\WINNT\tpwkjqa.exe
C:\WINNT\SYSTEM32\Libparse.exe
C:\WINNT\SYSTEM32\MSupdate.exe
C:\WINNT\system32\config\msconfig\taskmgr.exe
%PROFILES%\ADMINISTRATOR\NOOBO.EXE
C:\WINNT\SYSTEM32\xsys.dll
C:\WINNT\system32\fgiii.ini

Folders to Delete:
C:\PROGRA~1\COMMON~1\ziiw

Registry values to delete:
HKEY_USERS\.default\software\microsoft\windows\currentversion\run | Ms Update WinServices NT/XP
HKEY_USERS\.default\software\microsoft\windows\currentversion\run | Ms Java for Windows NT
HKEY_USERS\.default\software\microsoft\windows\currentversion\run | ziiw
HKEY_USERS\.default\software\microsoft\windows\currentversion\run | xqnyq


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply and let me know how your computer is now running.

Thanks.
  • 0

#18
pwt5
Posted 03 November 2006 - 07:50 PM

pwt5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
computer performance seems to be fairly decent at this point. . . .MS Word seems to take a bit to open, but other microsoft office applications seem to open fairly quick. Performance is quicker than it has been. I think some of the slowness has to do with all the programs that run on start-up of the machine, which I can change after computer is fixed. . .below are my avenger and HJT reports. . . .Thanks for your help as always


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gblnyegb

*******************

Script file located at: \??\C:\Program Files\arkadrck.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\setup_73522.exe deleted successfully.


File C:\WINNT\SYSTEM32\winservnt32.exe not found!
Deletion of file C:\WINNT\SYSTEM32\winservnt32.exe failed!

Could not process line:
C:\WINNT\SYSTEM32\winservnt32.exe
Status: 0xc0000034



Could not open file %FAVORITES%\SYSTEM32\mguard.exe for deletion
Deletion of file %FAVORITES%\SYSTEM32\mguard.exe failed!

Could not process line:
%FAVORITES%\SYSTEM32\mguard.exe
Status: 0xc000003a



File C:\WINNT\system32\cddgpq.exe not found!
Deletion of file C:\WINNT\system32\cddgpq.exe failed!

Could not process line:
C:\WINNT\system32\cddgpq.exe
Status: 0xc0000034

File C:\WINNT\tpwkjqa.exe deleted successfully.
File C:\WINNT\SYSTEM32\Libparse.exe deleted successfully.


File C:\WINNT\SYSTEM32\MSupdate.exe not found!
Deletion of file C:\WINNT\SYSTEM32\MSupdate.exe failed!

Could not process line:
C:\WINNT\SYSTEM32\MSupdate.exe
Status: 0xc0000034



File C:\WINNT\system32\config\msconfig\taskmgr.exe not found!
Deletion of file C:\WINNT\system32\config\msconfig\taskmgr.exe failed!

Could not process line:
C:\WINNT\system32\config\msconfig\taskmgr.exe
Status: 0xc0000034



Could not open file %PROFILES%\ADMINISTRATOR\NOOBO.EXE for deletion
Deletion of file %PROFILES%\ADMINISTRATOR\NOOBO.EXE failed!

Could not process line:
%PROFILES%\ADMINISTRATOR\NOOBO.EXE
Status: 0xc000003a

File C:\WINNT\SYSTEM32\xsys.dll deleted successfully.
File C:\WINNT\system32\fgiii.ini deleted successfully.


Folder C:\PROGRA~1\COMMON~1\ziiw not found!
Deletion of folder C:\PROGRA~1\COMMON~1\ziiw failed!

Could not process line:
C:\PROGRA~1\COMMON~1\ziiw
Status: 0xc0000034

Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run|Ms Update WinServices NT/XP deleted successfully.
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run|Ms Java for Windows NT deleted successfully.
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run|ziiw deleted successfully.
Registry value HKEY_USERS\.default\software\microsoft\windows\currentversion\run|xqnyq deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Logfile of HijackThis v1.99.1
Scan saved at 7:45:24 PM, on 11/3/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\TPPALDR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
C:\WINNT\system32\notepad.exe
C:\HJT\Analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.n...a...&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=east&bw=dialin&cd=4.0&bm=ho_home
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143225708926
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\MSupdate.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Task Manager Help (TskHlp) - Unknown owner - C:\WINNT\system32\config\msconfig\taskmgr.exe (file missing)
  • 0

#19
Octagonal
Posted 04 November 2006 - 12:21 AM

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi pwt5,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

The O4 entry is not bad, just a resource hog. Removing it will aid in speeding up your system.

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present << Only if you didn't set this in Internet Explorer
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\MSupdate.exe (file missing)
O23 - Service: Task Manager Help (TskHlp) - Unknown owner - C:\WINNT\system32\config\msconfig\taskmgr.exe

Now close all windows other than HiJackThis (including any browser windows), then click Fix Checked.

Boot into Safe Mode: You can do this by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\PROGRAM FILES\COMMON FILES\ziiw

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINNT\system32\mguard.exe

Reboot the computer.

Please download FileFind from Atribune.
Unzip the file and save it to your desktop.

To run FileFind, please do the following:
  • Click on FileFind.exe
  • In the box labeled "Directory"
    • Enter Drive eg.. C:\
  • In the box labeled "File"
    • NOOBO.EXE
  • Now click on the "Search" button
  • Once the utility has found the files click on "Export"
  • A Notepad will open up. Please copy the entire contents of the Notepad and paste them here.
  • NOTE: The notepad is saved on your C:\ drive as "Export.txt"
Include the contents of Export.txt together with a fresh HijackThis log in your next reply. Alaso let me know how your computer is behaving and whether you wish me to take a look at your startup list.

Thanks.
  • 0

#20
pwt5
Posted 04 November 2006 - 09:48 AM

pwt5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Neither files were present that you had me look for on the C:\ drive. . .

Nothing showed up on the Export.txt report. . .no NOOBO.exe files were found. . .

it still takes long time to start-up computer -- longer than it should. If you wouldn't mind, i don't believe it would hurt to take a look at my start-up processes.

Outside of slow start-up, the computer seems to be performing fairly well.

updated HJT

Logfile of HijackThis v1.99.1
Scan saved at 9:44:23 AM, on 11/4/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\TPPALDR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\HJT\Analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.n...a...&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=east&bw=dialin&cd=4.0&bm=ho_home
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143225708926
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Unknown owner - C:\WINNT\system32\MSupdate.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Task Manager Help (TskHlp) - Unknown owner - C:\WINNT\system32\config\msconfig\taskmgr.exe (file missing)
  • 0

#21
Octagonal
Posted 05 November 2006 - 08:06 AM

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi pwt5,

Create a Startup List
  • Open HiJackThis
  • Click on the "Config..." button on the bottom right
  • Click on the tab "Misc Tools"
  • Check off the 2 boxes next to the Box that says "Generate StartupList log"
  • Click on the button "Generate StartupList log"
  • Copy and past the StartupList from the notepad into your next post.
There are a couple of services still there in your HJT log. I need you to change the "permissions" for these, so that they can be deleted.

Are you comfortable with following some instructions and making some manual changes to the Registry so we can do this?

Post the Startup List and also let me know if wish to make some manual changes to the Registry in your next reply.

Thanks.
  • 0

#22
pwt5
Posted 05 November 2006 - 08:26 AM

pwt5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
As long as directions are fairly precise and easy to follow, which everything has been to this point, i would feel comfortable changing the registry. . . .I'll get 'er done. . . . proceed with those instructions

start-up log

StartupList report, 11/5/2006, 8:25:42 AM
StartupList version: 1.52.2
Started from : C:\HJT\Analyse.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\TPPALDR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\hphmon04.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\Analyse.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = c:\winnt\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LoadQM = loadqm.exe
TPP Auto Loader = C:\WINNT\TPPALDR.EXE
Synchronization Manager = mobsync.exe /logon
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
Share-to-Web Namespace Daemon = C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
NeroCheck = C:\WINNT\System32\NeroCheck.exe
HPHUPD04 = "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
HPHmon04 = C:\WINNT\System32\hphmon04.exe
HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
EPSON PictureMate = C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
a-winpoet-service = "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
THGuard = "C:\Program Files\TrojanHunter 4.6\THGuard.exe"

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpySweeper =

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINNT\System32\sstext3d.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - Lawrence Luecke.job

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky...can_unicode.cab

[Trend Micro ActiveX Scan Agent 6.5]
InProcServer32 = C:\WINNT\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.t...ivex/hcImpl.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[MUWebControl Class]
InProcServer32 = C:\WINNT\System32\muweb.dll
CODEBASE = http://update.micros...b?1143225708926

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoft...free/asinst.cab

[{9F1C11AA-197B-4942-BA54-47A8489BB47F}]
CODEBASE = http://v4.windowsupd...AB?37850.515625

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

[IMDownloader Class]
CODEBASE = http://www2.incredim...er/imloader.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 6,969 bytes
Report generated in 0.651 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
  • 0

#23
Octagonal
Posted 05 November 2006 - 10:02 AM

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi pwt5,

First of all, Nortons (Symantec) uses a lot of system resources. This is well known and I'm sure that this would be confirmed by doing a simple search with Google.

I see that you have TrojanHunter installed. When you have real-time scanners installed you will find that each one of these uses a certain amount of system resources as well. May I suggest that you uninstall any real-time malware scanners that you have that you do not have a paid subscription to. In saying that it would be wise to keep one installed.

You could also disable several of the programs that load at startup and sit in your taskbar (at the bottom near the time), these are things like HP taskbar utilities and QuickTime. These programs can be run from either the Control Panel or from the Start button.

The above are only suggestions to assist in speeding up the boot-up time. Feel free to add any more that you see fit. :whistling:

Now for the Registry changes.

It is important that you follow these instructions exactly as I have listed. Failure to adhere to this could result in damage to your Registry Settings and the possibility of not being able to boot your computer or other unexpected events occurring.

You will need to print out a copy of these instructions and also save them to NotePad and put a shortcut to the file on the desktop so that you can refer to while you complete this procedure.

It is important to backup the Registry before we make any changes so that we have a fresh copy in case of misfortune. Please click on Start then Run and copy the following code into the command line.

regedit /e C:\BackupReg.reg

Click the OK button or press the Enter key. This will save a copy of the Registry to a file (C:\BackupReg.reg) on your local hard drive.

Go to Start then Run and type Regedit in the textbox then click Ok.

The Registry Editor will open and you will find two window panes similar to Windows Explorer.

The five folders there are known as "Hives".

In the left pane click on the + next to each of these:

HKEY_LOCAL_MACHINE then SYSTEM then CurrentControlSet then Services

Under Servives there should be a full listing of services.

Scroll down and Right click on Serv-U or Serv-U FTP Server

From the menu that opens click on Permissions...

From the Box that opens select Administrators from the Group or users names: then click the Advanced button.

From the new dialog box that opens make sure that the Permissions tab is selected and click on Administrators from the list then click the Edit button.

In the Permissions list place a checkmark alongside Full Control in the Allow column, then click OK.

Click the OK buttons on each of the Dialog boxes to close them and this should return you to the Registry Editor.

Repeat the same for TskHlp or Task Manager Help in the Services listing.

Once that is completed click the - next to each of the entries that you opened earlier to close the "Hive" then close the Registry Editor.

Go to Start > Run and type Services.msc then hit Ok
Scroll down and find the below service:

Serv-U FTP Server

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Repeat the same as above for Task Manager Help

Open HiJackThis, click on None of the above, just start the program. Now, click on the Config button (bottom right), click on Misc Tools, then click on Delete an NT Service. A window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

Serv-U

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click NO.

Repeat the same as above for Task Manager Help

Reboot the computer.

Post a new HiJackThis log after it reboots and let me know if you received any error messages.

If you have any questions regarding these instructions please post them before proceeding.

Thanks.
  • 0

#24
pwt5
Posted 06 November 2006 - 06:46 PM

pwt5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
As we are messing with the registry, i want to make sure i have everything correct . . . . i was following directions you provided, and got to the following folder

HKEY_LOCAL_MACHINE then SYSTEM then CurrentControlSet then Services

inside this folder, i have two ControlSet folders . . . ControlSet001 and ControlSet002.

Both of these folders contain the Serv-U folder inside of it. Please advise from here. . .

Thank You!
  • 0

#25
Octagonal
Posted 07 November 2006 - 08:22 AM

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi pwt5,

In Registry Editor if you drill down to HKEY_LOCAL_MACHINE then SYSTEM then CurrentControlSet then Services
do you not get a big listing of services under the Services key in the left hand pane like the example below?

Abiosdsk
ACPI
ACPIEC
aec
AFD
Aha154x
etc.
etc.
  • 0

Advertisements

#26
pwt5
Posted 07 November 2006 - 07:15 PM

pwt5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
OK, i was in the wrong folder, my apologies. . . .I'm glad I asked. I have navigated to the correct folder now and found Serv-U in the Service folder. However, when I right-click on it 'permissions' is not an option. Please see attachment of print screen of what my options are. . .as always, thanks!

Attached Files


  • 0

#27
Octagonal
Posted 08 November 2006 - 07:45 AM

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi pwt5,

When you right click on the Serv-U key select Delete and then close the hive completely and exit Registry Editor.

Reboot the computer.

Open Registry Editor again then locate HKEY_LOCAL_MACHINE then SYSTEM then CurrentControlSet then Services and let me know if Serv-U is still there or has it actually been deleted.

Also can you try this for Task Manager Help as well.

Let me know how you fare.

Thanks.
  • 0

#28
pwt5
Posted 08 November 2006 - 07:05 PM

pwt5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I was able to delete both of them . . . . here is an updated HJT log. let me know how to proceed. Thanks!



Logfile of HijackThis v1.99.1
Scan saved at 7:00:22 PM, on 11/8/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\TPPALDR.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\hphmon04.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\Analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://cgi.verizon.n...a...&bm=ho_home
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer customized for Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TPP Auto Loader] C:\WINNT\TPPALDR.EXE
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [HPHmon04] C:\WINNT\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [EPSON PictureMate] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2P1.EXE /P17 "EPSON PictureMate" /O6 "USB001" /M "PictureMate"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [a-winpoet-service] "C:\Program Files\WinPoET Broadband Connection\winpppoverethernet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON CardMonitor.lnk = C:\Program Files\EPSON\EPSON CardMonitor\EPSON CardMonitor1.1.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O14 - IERESET.INF: START_PAGE_URL=http://cgi.verizon.net/bookmarks/bmredir.asp?region=east&bw=dialin&cd=4.0&bm=ho_home
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1143225708926
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredim...er/imloader.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINNT\System32\HPHipm11.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#29
Octagonal
Posted 09 November 2006 - 06:47 AM

Octagonal

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,528 posts
Hi pwt5,

That log looks OK. Can you let me know if your computer is no longer showing symptoms of malware. If it is not then I will post the clean-up instructions.

Thanks.
  • 0

#30
pwt5
Posted 09 November 2006 - 08:35 PM

pwt5

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Things seem to be OK with the system . . . still seems like things (i.e. MS Word) seem to take longer then they should to open, but that might have to do with the number of processes running, etc. I ran spybot and it was clean. i ran ad-aware and it came up with 15 critical objects. I'm not sure if that is a big deal or not. I have posted a log below. . . .I believe I am ready for some clean up instructions. . . .Also looking for some advise as to what antivirus is best. . .what other programs should I run (i.e. ad aware, spybot, etc.) periodically to make sure the system is clean.


Adaware log. . .


Ad-Aware SE Build 1.06r1
Logfile Created on:Thursday, November 09, 2006 7:15:25 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R131 09-11-2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Tracking Cookie(TAC index:3):15 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for low-risk threats
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


11-9-2006 7:15:25 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]

#:2 [csrss.exe]

#:3 [winlogon.exe]

#:4 [services.exe]

#:5 [lsass.exe]

#:6 [svchost.exe]

#:7 [spoolsv.exe]

#:8 [aluschedulersvc.exe]

#:9 [guard.exe]

#:10 [ccsetmgr.exe]

#:11 [svchost.exe]

#:12 [navapsvc.exe]

#:13 [npfmntor.exe]

#:14 [mstask.exe]

#:15 [sndsrvc.exe]

#:16 [spbbcsvc.exe]

#:17 [stisvc.exe]

#:18 [explorer.exe]

#:19 [symlcsvc.exe]

#:20 [winmgmt.exe]

#:21 [svchost.exe]

#:22 [ccevtmgr.exe]

#:23 [svchost.exe]

#:24 [tppaldr.exe]

#:25 [hpgs2wnd.exe]

#:26 [realplay.exe]

#:27 [qttask.exe]

#:28 [hphmon04.exe]

#:29 [hpztsb05.exe]

#:30 [e_s4i2p1.exe]

#:31 [hpgs2wnf.exe]

#:32 [ccapp.exe]

#:33 [jusched.exe]

#:34 [thguard.exe]

#:35 [epson cardmonitor1.1.exe]

#:36 [ad-aware.exe]

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence [email protected][1].txt
Value : Cookie:lawrence [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence [email protected][2].txt
Value : Cookie:lawrence [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence [email protected][1].txt
Value : Cookie:lawrence [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@apmebf[1].txt
Value : Cookie:lawrence [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@realmedia[1].txt
Value : Cookie:lawrence [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@zedo[1].txt
Value : Cookie:lawrence [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@2o7[2].txt
Value : Cookie:lawrence [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@qksrv[1].txt
Value : Cookie:lawrence [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@fortunecity[2].txt
Value : Cookie:lawrence [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence [email protected][2].txt
Value : Cookie:lawrence [email protected]/

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@tribalfusion[1].txt
Value : Cookie:lawrence [email protected]/

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 11
Objects found so far: 11



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@apmebf[1].txt
Value : C:\Documents and Settings\Lawrence Luecke\Cookies\lawrence luecke@apmebf[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@fortunecity[2].txt
Value : C:\Documents and Settings\Lawrence Luecke\Cookies\lawrence luecke@fortunecity[2].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@realmedia[1].txt
Value : C:\Documents and Settings\Lawrence Luecke\Cookies\lawrence luecke@realmedia[1].txt

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : lawrence luecke@tribalfusion[1].txt
Value : C:\Documents and Settings\Lawrence Luecke\Cookies\lawrence luecke@tribalfusion[1].txt

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
0 entries scanned.
New critical objects:0
Objects found so far: 15




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

7:32:35 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:17:09.500
Objects scanned:84665
Objects identified:15
Objects ignored:0
New critical objects:15



Thanks for all your continued help and support
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP