Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Hi Guys - Lots of problems :(


  • Please log in to reply

#1
Jennifer18

Jennifer18

    Member

  • Member
  • PipPip
  • 11 posts
Hi Guys,
Yesterday my new notebook somehow got slammed with tons of unwanted stuff. I've been reading other threads and have partially removed some stuff, but I still have problems like my desktop is all black, I have a !submit folder with a dialer called 125777.exe, spybot finds the following stuff:

CoolWWWSearch.Googlems
DyFuCA.InternetOptimizer
DyFuCA
IBIS Toolbar
N-Case
Isearchtech.Powerscan
Isearchtech.sidefind

I have done lots of stuff I found in different threads and have reclaimed my homepage, limited pop ups (just aurora and seeve remain), and got rid of the red cirlce with an X in the midle in my task bar. There was so much stuff on here im probably forgetting a lot. So I'll just post m hijackthis log and if you need any other info on what I've done let me know. :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 9:07:06 PM, on 4/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\System32\msnsvc.exe
C:\WINDOWS\seeve.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
c:\windows\system32\doazyv.exe
C:\WINDOWS\System32\r?ndll32.exe
C:\WINDOWS\System32\wi32.exe
C:\Documents and Settings\user\Application Data\wrnu.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\INETSVC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: (no name) - {85CAA062-4E89-3803-ABF8-6013468B3DE4} - C:\WINDOWS\System32\ntlpxv.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [msn] msnsvc.exe
O4 - HKLM\..\Run: [EFyV] C:\WINDOWS\ttqnrhov.exe
O4 - HKLM\..\Run: [ytul] C:\WINDOWS\ytul.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\Run: [ifilveu] c:\windows\system32\doazyv.exe
O4 - HKLM\..\RunServices: [msn] msnsvc.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\RunServices: [Sam-sung] Sam-sung.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\user\Application Data\othb.exe
O4 - HKCU\..\Run: [Buhmmg] C:\WINDOWS\System32\r?ndll32.exe
O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wi32.exe
O4 - HKCU\..\Run: [Aona] C:\Documents and Settings\user\Application Data\wrnu.exe
O4 - HKCU\..\Run: [Svhl] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.14...chm::/trs15.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{64F5C3CF-03D0-4208-AF24-022B63758396}: NameServer = 206.47.244.104 206.47.244.59
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Anybody who helps me get rid of this will instantly become m hero! *muah*
  • 0

Advertisements


#2
Jennifer18

Jennifer18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Guys,
Me again, I've been reading some more threads and thought this info would be helpful to you guys, so I thought I would post them.

Find it log:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Fri 04/29/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 1785-2D4D

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 1785-2D4D

Directory of C:\WINDOWS\system32

04/27/2005 07:14 PM 766 Air Tickets.ico
04/27/2005 07:14 PM 2,238 Car Insurance.ico
04/27/2005 07:14 PM 4,606 Credit Card.ico
04/27/2005 07:14 PM 2,238 Cruises.ico
04/27/2005 07:14 PM 2,238 Forex Trading.ico
04/27/2005 07:14 PM 4,286 Lesbian Sex.ico
04/27/2005 07:14 PM 2,238 MP3.ico
04/27/2005 07:14 PM 2,238 Online Betting.ico
04/27/2005 07:14 PM 766 Online Casino.ico
04/27/2005 07:14 PM 4,286 Oral Sex.ico
04/27/2005 07:14 PM 766 Party Poker.ico
04/27/2005 07:14 PM 766 Phentermine.ico
04/27/2005 07:14 PM 4,534 Remove Spyware.ico
04/27/2005 07:14 PM 2,238 Viagra.ico
14 File(s) 34,204 bytes
0 Dir(s) 20,812,808,192 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\ceres


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\mfiltis


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\System Updater


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME> REG_SZ BolgerObj Class


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

I am going to do a online virus scan from panda then post when its done. Thanks for any help! :tazz:
  • 0

#3
Jennifer18

Jennifer18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Here's the panda active scan log. Next I'll post an ad aware scan :tazz:


Incident Status Location

Adware:Adware/CWS.Aboutblank No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\sp.html
Virus:Trj/Downloader.BWL Disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\R8MVZ28E\gr[1].exe
Adware:Adware/Trustbid No disinfected C:\Documents and Settings\user\1.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\user\Application Data\othb.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\user\Application Data\wrnu.exe
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\user\Desktop\backups\backup-20050428-201510-205.dll
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Fun & Games\Betting.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Fun & Games\Casino Palace.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Fun & Games\Casino.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Fun & Games\Games.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Fun & Games\Horoscope.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Going Places\Air Tickets.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Going Places\Car Rentals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Going Places\Hotel Deals.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Going Places\Luggage.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Going Places\Travel.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Living\Dating.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Living\Find a Degree.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Living\Find a job.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Living\Home.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Living\Insurance.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Auctions.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Books.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Computers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Discount.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Flowers.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Golf.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Jewelry.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Movies.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Music.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Online Store.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Perfume.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Shop\Sleepwear.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Technology\Adware Remover.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Technology\Anti-Virus.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Technology\PC Cleaner.lnk
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Favorites\Technology\Tech & gadgets.lnk
Adware:Adware/SideFind No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\C601609\1205984
Adware:Adware/SideFind No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\C601609\1285640
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\159516[optimize.exe]
Adware:Adware/DealHelper No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\159516[dun.exe]
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\159516[EliteToolBar version 60.dll]
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\159516[WToolsA.exe]
Adware:Adware/MyWebSearch No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\159516[WToolsB.dll]
Adware:Adware/Zango No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\159516[sais.exe]
Adware:Adware/WUpd No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\159516[AdManComm.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\159516[msbe.dll]
Adware:Adware/ExactSearch No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\159516[exclean.exe]
Adware:Adware/PowerScan No disinfected C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\159516[powerscan.exe]
Adware:Adware/Trustbid No disinfected C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\OGE9Y8I7\sh[1].exe
Adware:Adware/Trustbid No disinfected C:\Documents and Settings\user\~update.exe
Adware:Adware/WUpd No disinfected C:\log.exe
Adware:Adware/WinAD No disinfected C:\Program Files\Media Access\MediaAccess.exe
Virus:Trj/Downloader.BWL Disinfected C:\sdas.exe
Adware:Adware/SAHAgent No disinfected C:\Temp\sahagent-cdt1004.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Bolger.dll
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\Downloaded Program Files\setup4002b.ini
Virus:W32/Sdbot.DDB.worm Disinfected C:\WINDOWS\INETSVC.EXE
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\mm63.ocx
Adware:Adware/Transponder No disinfected C:\WINDOWS\Nail.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\seeve.exe
Spyware:Spyware/SurfSideKick No disinfected C:\WINDOWS\SSK_B5 Simple Internet 12.EXE
Adware:Adware/Transponder No disinfected C:\WINDOWS\svcproc.exe
Adware:Adware/Trustbid No disinfected C:\WINDOWS\system32\1.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\system32\4.dat
Virus:Trj/Agent.PF Disinfected C:\WINDOWS\system32\DrPMon.dll
Virus:W32/Sdbot.DDB.worm Disinfected C:\WINDOWS\system32\eraseme_16105.exe
Adware:Adware/Hotoffers No disinfected C:\WINDOWS\system32\guninst.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\Hqednj.exe
Virus:W32/Sdbot.ftp No disinfected C:\WINDOWS\system32\i
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\install.exe
Adware:Adware/Dloader No disinfected C:\WINDOWS\system32\intronsad.exe
Virus:W32/Gaobot.FFA.worm No disinfected C:\WINDOWS\system32\ipsec.exe[bot.exe]
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\ipsec.exe[install.exe]
Adware:Adware/Startpage.AAO No disinfected C:\WINDOWS\system32\lpzxczxct.exe
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\system32\o
Virus:W32/Sdbot.CRF.worm Disinfected C:\WINDOWS\system32\Sam-sung.exe
Adware:Adware/XPlugin No disinfected C:\WINDOWS\system32\tksrv99.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\tsuninst.exe
Adware:Adware/Admess No disinfected C:\WINDOWS\system32\uc1362.exe
Adware:Adware/Admess No disinfected C:\WINDOWS\system32\ucsl.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\wgaljk.exe
Adware:Adware/Trustbid No disinfected C:\WINDOWS\system32\wi32.exe
Adware:Adware/IGuard No disinfected C:\WINDOWS\system32\wldr.dll
Adware:Adware/XPlugin No disinfected C:\WINDOWS\system32\xplugin.dll
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\Temp\ICD2.tmp\MediaTicketsInstaller.INF
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\unstall.exe
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Jenny and welcome to Geeks to Go,

Hold off on anymore logs for the moment please,

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
  • 0

#5
Jennifer18

Jennifer18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thank you very much for your help! :tazz:

Here is the scan report for ewido secruity suite:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:14:16 AM, 4/29/2005
+ Report-Checksum: 3C1CCF65

+ Date of database: 4/29/2005
+ Version of scan engine: v3.0

+ Duration: 40 min
+ Scanned Files: 88747
+ Speed: 36.10 Files/Second
+ Infected files: 58
+ Removed files: 58
+ Files put in quarantine: 58
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\!Submit\125777.exe -> Not-A-Virus.PornWare.Downloader.Tibsystems -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/WINDOWS/system32/config/systemprofile/Cookies/system@www.shopathomeselect[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/Documents and Settings/user/Desktop/backups/backup-20050428-201510-205.dll -> Spyware.EliteBar.z -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/Program Files/Media Access/MediaAccess.exe -> Spyware.WinAD.af -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP20/A0000450.exe -> Spyware.Wintol.y -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP22/A0001558.exe -> Spyware.WinAD.k -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0001575.dll -> Spyware.WinAD.ag -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0001579.dll -> Spyware.Sahat.l -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002455.exe -> TrojanDownloader.QDown.m -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002464.exe -> Spyware.Sahat.o -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002465.exe -> Spyware.Sahat.o -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002476.dll -> TrojanDownloader.Dyfuca -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002481.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002482.vxd -> Spyware.BargainBuddy -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002484.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002495.exe -> Spyware.IBIS -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002496.exe -> Spyware.WebSearch.ad -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002502.dll -> Spyware.WebSearch.ae -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002512.exe -> Spyware.180solutions -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002516.vxd -> Spyware.BargainBuddy -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002517.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002518.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002520.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002521.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002522.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002524.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002525.exe -> Spyware.BargainBuddy.n -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002529.dll -> Spyware.SideFind -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002530.dll -> Spyware.SideFind -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP23/A0002531.exe -> Spyware.SideFind -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP31/A0002663.dll -> Spyware.EliteBar.z -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP33/A0002683.exe -> Spyware.180solutions -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP33/A0002685.exe -> Spyware.Wintol.y -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP33/A0002686.dll -> Spyware.Wintol.y -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP33/A0002690.exe -> Spyware.DealHelper.x -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP33/A0002691.vxd -> Spyware.MediaPass -> Cleaned with backup
C:\Documents and Settings\user\Local Settings\Temp\AAWTMP\TMP\221654/C:/System Volume Information/_restore{EABCAB45-42A4-472A-8674-85AD723A5F23}/RP33/A0002692.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\log.exe -> Spyware.WinAD.ai -> Cleaned with backup
C:\Temp\sahagent-cdt1004.exe -> Spyware.Sahat.m -> Cleaned with backup
C:\WINDOWS\iracfxwyoaj.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\SSK_B5 Simple Internet 12.EXE -> TrojanDropper.Small.wd -> Cleaned with backup
C:\WINDOWS\system32\4.dat -> Trojan.Small.bb -> Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Cookies\system@hb.lycos[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\WINDOWS\system32\guninst.exe -> Spyware.Serpo.j -> Cleaned with backup
C:\WINDOWS\system32\HookPopup.dll -> Spyware.DealHelper.ab -> Cleaned with backup
C:\WINDOWS\system32\Hqednj.exe -> Spyware.DealHelper.ac -> Cleaned with backup
C:\WINDOWS\system32\ipsec.exe/bot.exe -> Backdoor.RBot.Generic -> Cleaned with backup
C:\WINDOWS\system32\Kykeiz.exe -> Trojan.Popmon.a -> Cleaned with backup
C:\WINDOWS\system32\lpzxczxct.exe -> TrojanDownloader.Small.my -> Cleaned with backup
C:\WINDOWS\system32\Ojlasp.exe -> Trojan.Popmon.a -> Cleaned with backup
C:\WINDOWS\system32\tksrv99.exe -> TrojanDownloader.Esepor.Q -> Cleaned with backup
C:\WINDOWS\system32\uc1362.exe -> TrojanDownloader.Small.aqw -> Cleaned with backup
C:\WINDOWS\system32\ucsl.exe -> TrojanDownloader.Small.arq -> Cleaned with backup
C:\WINDOWS\system32\wldr.dll -> TrojanDownloader.Agent.le -> Cleaned with backup
C:\WINDOWS\system32\xplugin.dll -> TrojanDownloader.Esepor.ac -> Cleaned with backup
C:\WINDOWS\system32\zssbuu.exe -> Trojan.Agent.cp -> Cleaned with backup
C:\WINDOWS\__delete_on_reboot__Bolger.dll -> Spyware.BetterInternet -> Cleaned with backup


::Report End



Here is the hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 4:19:15 AM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\seeve.exe
C:\WINDOWS\System32\r?ndll32.exe
C:\Documents and Settings\user\Application Data\wrnu.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {85CAA062-4E89-3803-ABF8-6013468B3DE4} - C:\WINDOWS\System32\ntlpxv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [EFyV] C:\WINDOWS\ttqnrhov.exe
O4 - HKLM\..\Run: [ytul] C:\WINDOWS\ytul.exe
O4 - HKLM\..\Run: [NAV Auto Updates] slserves.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\user\Application Data\othb.exe
O4 - HKCU\..\Run: [Buhmmg] C:\WINDOWS\System32\r?ndll32.exe
O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wi32.exe
O4 - HKCU\..\Run: [Aona] C:\Documents and Settings\user\Application Data\wrnu.exe
O4 - HKCU\..\Run: [Svhl] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.185.246
O15 - Trusted IP range: 67.19.185.246 (HKLM)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.14...chm::/trs15.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


Thanks again! ;)
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Jennifer18.
Looks to be cleaning up ! A bit more to do,
  • Please set your system to show
    all files; please see here if you're unsure how to do this.





  • Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

    O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
    O2 - BHO: (no name) - {85CAA062-4E89-3803-ABF8-6013468B3DE4} - C:\WINDOWS\System32\ntlpxv.dll
    O4 - HKLM\..\Run: [EFyV] C:\WINDOWS\ttqnrhov.exe
    O4 - HKLM\..\Run: [ytul] C:\WINDOWS\ytul.exe
    O4 - HKLM\..\Run: [NAV Auto Updates] slserves.exe
    O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
    O4 - HKCU\..\Run: [Aaou] C:\Documents and Settings\user\Application Data\othb.exe
    O4 - HKCU\..\Run: [Buhmmg] C:\WINDOWS\System32\r?ndll32.exe
    O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O15 - Trusted Zone: *.skoobidoo.com
    O15 - Trusted Zone: *.windupdates.com
    O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
    O15 - Trusted Zone: *.skoobidoo.com (HKLM)
    O15 - Trusted Zone: *.windupdates.com (HKLM)
    O15 - Trusted IP range: 67.19.185.246
    O15 - Trusted IP range: 67.19.185.246 (HKLM)
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.14...chm::/trs15.exe
    O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...e/bridge-c7.cab
    O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


    Click on Fix Checked when finished and exit HijackThis.
  • Reboot into Safe Mode: please see here if you are not sure how to do this.


    Using Windows Explorer, locate the following files/folders, and delete them:

    C:\WINDOWS\System32\ntlpxv.dll
    C:\WINDOWS\ttqnrhov.exe
    C:\WINDOWS\ytul.exe
    C:\WINDOWS\slserves.exe
    C:\Documents and Settings\user\Application Data\othb.exe
    C:\WINDOWS\INETSVC.EXE
    C:\WINDOWS\svcproc.exe

    Exit Explorer, and reboot as normal afterwards.
Post back a fresh HijackThis log and we will take another look.
  • 0

#7
Jennifer18

Jennifer18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks you very much.

I did everything as requested but when I rebooted into safe mode these files were not present:

C:\WINDOWS\System32\ntlpxv.dll
C:\WINDOWS\ttqnrhov.exe
C:\WINDOWS\ytul.exe
C:\WINDOWS\slserves.exe

And so obviously I didnt have the chance to delete them. The other thing, is I keep getting these pop ups with seeve in the menu bar. But I noticed you didnt ask me to check that in hijackthis or delete the file in safe mode. Thought that info might help! :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 12:31:48 PM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\seeve.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Documents and Settings\user\Application Data\wrnu.exe
C:\WINDOWS\System32\??rss.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wi32.exe
O4 - HKCU\..\Run: [Aona] C:\Documents and Settings\user\Application Data\wrnu.exe
O4 - HKCU\..\Run: [Svhl] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{64F5C3CF-03D0-4208-AF24-022B63758396}: NameServer = 206.47.244.104 206.47.244.59
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi Jennifer18
  • Please set your system to show
    all files; please see here if you're unsure how to do this.
  • Close all programs leaving only HijackThis running. Place a check mark next to the following, making sure you get them all and not any others by mistake:

    O4 - HKLM\..\Run: [seeve] C:\WINDOWS\seeve.exe
    O4 - HKCU\..\Run: [wupdate] C:\WINDOWS\System32\wi32.exe
    O4 - HKCU\..\Run: [Aona] C:\Documents and Settings\user\Application Data\wrnu.exe
    O4 - HKCU\..\Run: [Svhl] C:\WINDOWS\System32\??rss.exe
    O15 - Trusted Zone: *.media-motor.net
    O15 - Trusted Zone: *.popuppers.com
    O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE (file missing)


    Click on Fix Checked when finished and exit HijackThis.

  • Reboot into Safe Mode: please see here if you are not sure how to do this.


    Using Windows Explorer, locate the following files/folders, and delete them:

    C:\WINDOWS\INETSVC.EXE
    C:\WINDOWS\seeve.exe
    C:\WINDOWS\System32\wi32.exe
    C:\WINDOWS\System32\??rss.exe

    Exit Explorer, and reboot as normal afterwards.


    Next,
    Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
    Scroll down and find the services called:

    System Startup Service

    or

    SvcProc

    When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

    Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

    SvcProc
    Click OK.

    It should pull up information about the service, then ask if you want to reboot. Click YES.

    Post a new HiJackThis log after it reboots and let me know if you received any error messages.

  • 0

#9
Jennifer18

Jennifer18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi ;)
I did everything as directed but couldnt find these two files:
C:\WINDOWS\System32\wi32.exe
C:\WINDOWS\System32\??rss.exe

I double checked my folder settings to make sure I could see all files. As for any problems, so far so good. :) Only thing is my background on the desktop is still all black and when I right click - properties, I dont have the option to change the background. ;)

Here's my log:
Logfile of HijackThis v1.99.1
Scan saved at 8:23:20 PM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Internet Service Manager (INETSVC) - Unknown owner - C:\WINDOWS\INETSVC.EXE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thank you so much don! :tazz:
  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi again Jennifer18,
We are getting close now,
One more time
Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the services called:

Internet Service Manager

or

INETSVC

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

INETSVC
Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Post a new HiJackThis log after it reboots and let me know if you received any error messages.

Also,
Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to this thread please
  • 0

Advertisements


#11
Jennifer18

Jennifer18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hey Don ;)
Did everything as directed, here are the logs

Logfile of HijackThis v1.99.1
Scan saved at 11:25:30 PM, on 4/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Documents and Settings\user\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Wireless Configuration Utility.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


-------------------------------------------------------------------------------------


"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RecordNow!" = (no data)
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"mmtask" = "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" ["TODO: <Company name>"]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"CamMonitor" = "C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [empty string]
"Share-to-Web Namespace Daemon" = "C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"HPHUPD05" = "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [file not found]
"HPHmon05" = "C:\WINDOWS\System32\hphmon05.exe" ["Hewlett-Packard"]
"HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"NAV CfgWiz" = "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"" ["Symantec Corporation"]
"Cpqset" = "C:\Program Files\HPQ\Default Settings\cpqset.exe" [null data]
"Motive SmartBridge" = "C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
"ICQ Lite" = "C:\Program Files\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\RecordNow!\shlext.dll" ["Sonic Solutions"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\wp.bmp"


Startup items in "user" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"NetAssistant" -> shortcut to: "C:\Program Files\NetAssistant\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]
"Wireless Configuration Utility" -> shortcut to: "C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe" [empty string]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\
(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Program Files\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------


PS: The silent runners thing set off Norton anti virus. I took a deep breath and trusted you :tazz:

PPS: Only problem that persists is I cant take back my background
  • 0

#12
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Looking better,

PS: The silent runners thing set off Norton anti virus. I took a deep breath and trusted you

Sorry about that I should have warned you :tazz:

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\wp.bmp
C:\WINDOWS\System32\param32.dll

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.


Next,
*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.


Post back a fresh Silent runners log please
  • 0

#13
Jennifer18

Jennifer18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
I have reclaimed my desktop!!!! :tazz:

Here's the log, hoping to hear your confirmation that im in the clear.

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"RecordNow!" = (no data)
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"ICQ Lite" = "C:\Program Files\ICQLite\ICQLite.exe -trayboot" ["ICQ Ltd."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Apoint" = "C:\Program Files\Apoint2K\Apoint.exe" ["Alps Electric Co., Ltd."]
"AGRSMMSG" = "AGRSMMSG.exe" ["Agere Systems"]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [null data]
"mmtask" = "c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe" ["TODO: <Company name>"]
"UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"]
"CamMonitor" = "C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [empty string]
"Share-to-Web Namespace Daemon" = "C:\Program Files\HP\HP Share-to-Web\hpgs2wnd.exe" ["Hewlett-Packard"]
"HPHUPD05" = "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [file not found]
"HPHmon05" = "C:\WINDOWS\System32\hphmon05.exe" ["Hewlett-Packard"]
"HP Software Update" = ""C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"" ["Hewlett-Packard"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"NAV CfgWiz" = "C:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"" ["Symantec Corporation"]
"Cpqset" = "C:\Program Files\HPQ\Default Settings\cpqset.exe" [null data]
"Motive SmartBridge" = "C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
"ICQ Lite" = "C:\Program Files\ICQLite\ICQLite.exe -minimize" ["ICQ Ltd."]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\RecordNow!\shlext.dll" ["Sonic Solutions"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\wp.bmp"


Startup items in "user" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"HP Digital Imaging Monitor" -> shortcut to: "C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe" ["Hewlett-Packard Co."]
"NetAssistant" -> shortcut to: "C:\Program Files\NetAssistant\bin\matcli.exe -boot" ["Motive Communications, Inc."]
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]
"Wireless Configuration Utility" -> shortcut to: "C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.21 V1.30\WlanCU.exe" [empty string]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 17
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\
(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Program Files\ICQLite\ICQLite.exe" ["ICQ Ltd."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SAVScan, SAVScan, "C:\Program Files\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
SoundMAX Agent Service, SoundMAX Agent Service (default), "C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe" ["Analog Devices, Inc."]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Looking good !!!
Did you get any errors trying to delete this ? C:\wp.bmp

Please run through the steps I posted earlier in using killbox and try and delete

C:\wp.bmp

Glad to hear its working out for you,

:tazz:
  • 0

#15
Jennifer18

Jennifer18

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi Don,
Actually as I mentioned in one of my earlier posts I had been reading threads started by others thinking I could get rid of this without help. So I had downloaded killbox already and deleted the wp.bmp file. Before I had done that there was blue screen telling me I had spyware and needed to buy some program, after I deleted that it was just a black screen. So now that I did everything you mentioned, I have finally got back all the settings needed to change my desktop to something else. :)

So if you say im lookin good now (ah-thank-ya lol) then I think I am fully recovered and back to normal! Thank you 100x for your time & efforts. I'll be making a paypal donation shortly (probably tomorrow morning).


Thanks again!

;) :) :tazz: :) ;)

and every other applicable smiley!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP