Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

please help, log posted [RESOLVED]

Started by kupsjon , Apr 15 2005 11:43 AM

This topic is locked

#16
Michelle

Posted 05 May 2005 - 11:51 AM

Malware Removal Goddess

Retired Staff
8,928 posts

Make sure you are disconnected from the Internet and that all programs and windows are closed. Run HiJackThis. Place a check next to the following items, if found, and click FIX CHECKED:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: (no name) - {25FBE451-E7B5-4129-BF97-088B72FF2B14} - (no file)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

O9 - Extra button: Microsoft AntiSpyware helper - {43255105-01DB-45A9-8E7A-19F1C54F36DD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {43255105-01DB-45A9-8E7A-19F1C54F36DD} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {F52A7667-6EEF-4CB1-B447-CE1A0FA33E22} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {F52A7667-6EEF-4CB1-B447-CE1A0FA33E22} - (no file) (HKCU)

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab

Close HiJackThis.

They won't let you delete them and you can't boot into Safe Mode to do it, so we're bringing out the big guns!

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C:

C:\Windows\System32\Drivers\Delprot.sys
C:\Windows\isrvs

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

After your computer reboots, please run this online virus scan:
ActiveScan

Copy the results from ActiveScan and paste them here along with a new HiJackThis log.

#17
kupsjon

Posted 05 May 2005 - 12:16 PM

Member

Topic Starter
Member
28 posts

Thanks, i am glad you know what you are doing as this one has beat me :tazz:

On it now.

Edited by kupsjon, 05 May 2005 - 12:16 PM.

#18
kupsjon

Posted 05 May 2005 - 01:11 PM

Member

Topic Starter
Member
28 posts

Just to let you know whilst the scan is going kill box didnt remove those nasties, i tried it twice but it is still there, Desktop etc started straight up again. Will post the logs you asked for as soon as they finish scanning.

#19
Michelle

Posted 05 May 2005 - 01:12 PM

Malware Removal Goddess

Retired Staff
8,928 posts

You did have "delete on reboot" selected?

#20
Michelle

Posted 05 May 2005 - 01:15 PM

Malware Removal Goddess

Retired Staff
8,928 posts

C:\Windows\System32\Drivers\Delprot.sys

Try to rename this file to Delprot.bak - let me know if it let's you.

#21
kupsjon

Posted 05 May 2005 - 02:15 PM

Member

Topic Starter
Member
28 posts

Yeh i had it checked, second choice down on the left. This thing is a right persisand little so and so. Heres the logs whilst i try that.

Incident Status Location

Adware:Adware/FIsearch No disinfected C:\WINDOWS\isrvs\msdbhk.dll
Adware:Adware/IESearchBar No disinfected C:\WINDOWS\isrvs\desktop.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\isrvs\sysupd.dll
Adware:Adware/IESearchBar No disinfected C:\WINDOWS\isrvs\mfiltis.dll
Adware:Adware/IESearchBar No disinfected C:\WINDOWS\isrvs\desktop.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\isrvs\FFISEA~1.EXE
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\WINDOWS\gator*.log
Spyware:Spyware/ISTbar No disinfected Windows Registry
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\CERES.DLL
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Adware:Adware/CWS No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/BlazeFind No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINDOWS\isrvs
Adware:Adware/WUpd No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\inst
Adware:Adware/Dloader No disinfected C:\WINDOWS\system32\intronsad.exe
Virus:W32/Gaobot.CES.worm Disinfected C:\Documents and Settings\All Users\Documents\sysfirewall.exe
Virus:Bck/Agent.E Disinfected Personal Folders\Outbox\Drag 'junkxxx.zip' to Submit here!\junkxxx.zip[d3daj.333]
Possible Virus. No disinfected C:\Program Files\GameSpy Arcade\fpupdate.exe
Possible Virus. No disinfected C:\Program Files\Polyphonic Wizard\BACKUP\cwpolywz.exe
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Affordable home ownership application form - Moat Housing Group.htm
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Chose_Not_To_Connect.htm
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Coupe Meet 04.09.04.html
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Coupe Meet 04.09.04.zip[Coupe Meet 04.09.04.exe]
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Pfizer Viagra Receipt.htm
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\registration-cancel.htm
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\Travelodge - book rooms at Leatherhead.htm
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\trial-cannot-connect.htm
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\VideoContents.big5.html
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\VideoContents.en.html
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\VideoContents.fr.html
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\VideoContents.gb.html
Virus:W32/Torvil.B.worm Disinfected C:\WINDOWS\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\VideoContents.ja.html
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\ceres.dll
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorHDPlugin.log-old.log
Adware:Adware/IESearchBar No disinfected C:\WINDOWS\isrvs\desktop.exe
Adware:Adware/FIsearch No disinfected C:\WINDOWS\isrvs\edmond.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\isrvs\ffisearch.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\isrvs\isearch.xpi[isearch.jar][isearch.js]
Adware:Adware/IESearchBar No disinfected C:\WINDOWS\isrvs\mfiltis.dll
Adware:Adware/FIsearch No disinfected C:\WINDOWS\isrvs\msdbhk.dll
Adware:Adware/ISearch No disinfected C:\WINDOWS\isrvs\sysupd.dll
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\a95kfrhe.ini
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\ap2nqrd4.dat
Adware:Adware/SaveNow No disinfected C:\WINDOWS\system32\baur5s9q.dat
Virus:Trj/Delprot.A Disinfected C:\WINDOWS\system32\drivers\delprot.sys
Virus:Trj/Downloader.BVA Disinfected C:\WINDOWS\system32\intronsad.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\ritsacnk.dat
Virus:W32/Gaobot.CES.worm Disinfected C:\WINDOWS\system32\spool\PRINTERS\00003.SPL
Virus:W32/Gaobot.CES.worm Disinfected C:\WINDOWS\system32\spool\PRINTERS\00005.SPL
Virus:W32/Gaobot.CES.worm Disinfected C:\WINDOWS\system32\spool\PRINTERS\00007.SPL
Virus:W32/Gaobot.CES.worm Disinfected C:\WINDOWS\system32\spool\PRINTERS\00009.SPL
Virus:W32/Gaobot.CES.worm Disinfected C:\WINDOWS\system32\spool\PRINTERS\00011.SPL
Virus:W32/Gaobot.CES.worm Disinfected C:\WINDOWS\system32\spool\PRINTERS\00013.SPL
Virus:W32/Gaobot.CES.worm Disinfected C:\WINDOWS\system32\spool\PRINTERS\00015.SPL
Virus:W32/Gaobot.CES.worm Disinfected C:\WINDOWS\system32\spool\PRINTERS\00017.SPL

Logfile of HijackThis v1.99.1
Scan saved at 21:10:50, on 05/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\MMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jon\My Documents\adaware kilers\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE Initial
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Jon\Desktop\l2mfix\second.bat
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5761EB83-7A23-47A8-97AB-8833159589E6}: NameServer = 62.55.109.21 62.55.109.22
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#22
Michelle

Posted 05 May 2005 - 02:18 PM

Malware Removal Goddess

Retired Staff
8,928 posts

I'll work on your ActiveScan log. I think I've figured out why you can't boot into Safe Mode...what version of InCD do you have? Certain versions of InCD and XP Service Pack 2 don't play well together.

#23
kupsjon

Posted 05 May 2005 - 02:19 PM

Member

Topic Starter
Member
28 posts

OK sorry just checked that file has gone but the isrvs folder is still there.

#24
Michelle

Posted 05 May 2005 - 02:22 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Post 22 incase you missed it :tazz:

I'll work on it and be right back!

#25
kupsjon

Posted 05 May 2005 - 02:24 PM

Member

Topic Starter
Member
28 posts

OK great, that incd is version 4.3.0.3 i think it is left over from my old install of nero. I didnt reolise it was still there as it is not in add remove programes and when i uninstalled the old software it had problems deleting it for some reason.

#26
Michelle

Posted 05 May 2005 - 02:43 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Did you look for a program called Ahead InCD in Add/Remove programs?

If it's there remove it.

#27
kupsjon

Posted 05 May 2005 - 02:50 PM

Member

Topic Starter
Member
28 posts

LOL what an idiot thats what i had been looking for but i just found it as incd, Duh thats why i didnt find it. I should look harder.

Should i try safe mode and what do you want me to do if it works.

#28
Michelle

Posted 05 May 2005 - 02:55 PM

Malware Removal Goddess

Retired Staff
8,928 posts

Let's go ahead and do this, and when it's rebooting try going into Safe Mode (tapping F8). It should definitely let you after uninstalling InCD.

After doing this and getting into Safe Mode, delete these folders:

C:\WINDOWS\isrvs
C:\WINDOWS\inst

BTW, delprot.sys was gone because ActiveScan got a hold of it lol

I need you to copy all of the Killbox instructions below and paste them into Notepad and save it.

* Run Killbox.exe.

* Select "Delete on Reboot".

* Open the Notepad file where you saved these instructions earlier, and copy the file names below to the clipboard by highlighting ALL of them then press CTRL + C:

C:\WINDOWS\isrvs\msdbhk.dll
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\isrvs\sysupd.dll
C:\WINDOWS\isrvs\mfiltis.dll
C:\WINDOWS\isrvs\FFISEARCH.EXE
C:\WINDOWS\gator*.log
C:\WINDOWS\CERES.DLL
C:\WINDOWS\system32\ritsacnk.dat
C:\WINDOWS\farmmext.ini
C:\WINDOWS\isrvs
C:\WINDOWS\inst
C:\WINDOWS\system32\intronsad.exe
C:\Program Files\GameSpy Arcade\fpupdate.exe
C:\WINDOWS\ceres.dll
C:\WINDOWS\delprot.ini
C:\WINDOWS\deskbar.ini
C:\WINDOWS\farmmext.ini
C:\WINDOWS\GatorHDPlugin.log-old.log
C:\WINDOWS\isrvs\edmond.exe
C:\WINDOWS\isrvs\ffisearch.exe
C:\WINDOWS\isrvs\isearch.xpi
C:\WINDOWS\isrvs\isearch.jar
C:\WINDOWS\isrvs\isearch.js
C:\WINDOWS\system32\a95kfrhe.ini
C:\WINDOWS\system32\ap2nqrd4.dat
C:\WINDOWS\system32\baur5s9q.dat
C:\WINDOWS\system32\ritsacnk.dat

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Post a new HiJackThis log.

Edited by bananafanafo, 05 May 2005 - 02:58 PM.

#29
kupsjon

Posted 05 May 2005 - 03:14 PM

Member

Topic Starter
Member
28 posts

OK so now i am really impressed YOU THE DADDY. You got me into safe mode, god knows how you could remember that incd conflicts with all the stuff you have to deal with on here. If the room i am in was big enough i would be running round with my tshirt pulled over my head. My net connects faster, IE loads instantly again and spoolsv.exe has stopped using 100% of my cpu when i open IE. Thankyou

Heres my log for you again.

Logfile of HijackThis v1.99.1
Scan saved at 22:09:18, on 05/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\MMTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\TrojanHunter 3.8\THGuard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Saitek\Software\Profiler.exe
C:\Program Files\Saitek\Software\SaiSmart.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jon\My Documents\adaware kilers\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1629.0\en-gb\msntb.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [MMTray] MMTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE Initial
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Profiler] C:\Program Files\Saitek\Software\Profiler.exe
O4 - HKLM\..\Run: [SaiSmart] C:\Program Files\Saitek\Software\SaiSmart.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Jon\Desktop\l2mfix\second.bat
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay10...es/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5761EB83-7A23-47A8-97AB-8833159589E6}: NameServer = 62.55.109.21 62.55.109.22
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe