Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

My HijackThis Log *Help needed*


  • This topic is locked This topic is locked

#1
iceyJDP

iceyJDP

    Member

  • Member
  • PipPip
  • 38 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:22:00 PM, on 5/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\lsansa.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\lsansa.exe
c:\windows\system32\uppgnfl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {98833A08-FE75-BFD2-7F42-F0C2665FF2C8} - C:\WINDOWS\Cfxfnppb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search - {BA2E7D26-E4C1-9C50-3A1B-405DFAC9E857} - C:\WINDOWS\Cfxfnppb.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [weelhj] c:\windows\system32\uppgnfl.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [lsansa] C:\WINDOWS\System32\lsansa.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [lsansa] C:\WINDOWS\System32\lsansa.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_11078.dll' missing
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Edited by iceyJDP, 07 May 2005 - 12:36 PM.

  • 0

Advertisements


#2
iceyJDP

iceyJDP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Logfile of HijackThis v1.99.1
Scan saved at 1:47:26 PM, on 5/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\lsansa.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\lsansa.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\windows\system32\slqvfd.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {98833A08-FE75-BFD2-7F42-F0C2665FF2C8} - C:\WINDOWS\Cfxfnppb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search - {BA2E7D26-E4C1-9C50-3A1B-405DFAC9E857} - C:\WINDOWS\Cfxfnppb.dll (file missing)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [cxoluw] c:\windows\system32\slqvfd.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [lsansa] C:\WINDOWS\System32\lsansa.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [lsansa] C:\WINDOWS\System32\lsansa.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'xfire_lsp_11078.dll' missing
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Edited by iceyJDP, 07 May 2005 - 04:08 PM.

  • 0

#3
Guest_thatman_*

Guest_thatman_*
  • Guest
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

Kc :tazz:
  • 0

#4
iceyJDP

iceyJDP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
thanks for the reply KC!
i downloaded the service pack and tried to install it

it repsonded terribly and said something like this:

''The core system file (kernel) used to start this computer is not a microsoft windows file
The service pack will not be installed!
  • 0

#5
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi iceyJDP

Please read through the instructions before you start (you may want to print this out).

Please set your system to show all files; please see here if you're unsure how to do this.

Please download LSPfix and save it to the Desktop and unzip it.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\WINDOWS\System32\lsansa.exe
C:\WINDOWS\System32\lsansa.exe
c:\windows\system32\slqvfd.exe

Exit the Task Manager when finished.

Run LSPfix and place a check against the I know what I am doing checkbox.
Highlight every instance of the following names and move them from the Keep to the Remove panel. Be sure to move nothing other than the files listed below!
10 - broken internet access because of lsp provider xfire_lsp_11078.dll missing
When done, click on Finish to exit the program; do not use the X in the top right-hand corner as nothing will happen!

Lets see if this will finds any hidden Trojan’s http://www.ewido.net/en/download/
This setup contains the free as well as the plus-version of the ewido security suite. After the installation, a free 14-day test version containing all the extensions of the plus-version will be activated. At the end of the test phase, the extensions of the plus version are deactivated and the freeware version can be used unlimited times. The purchased license code of the plus version can be entered at any time.
Ewido will auto-udate then run a full scan save the log when the scan has finnished.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: (no name) - {98833A08-FE75-BFD2-7F42-F0C2665FF2C8} - C:\WINDOWS\Cfxfnppb.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Search - {BA2E7D26-E4C1-9C50-3A1B-405DFAC9E857} - C:\WINDOWS\Cfxfnppb.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [cxoluw] c:\windows\system32\slqvfd.exe
O4 - HKCU\..\Run: [lsansa] C:\WINDOWS\System32\lsansa.exe
O4 - HKCU\..\RunOnce: [lsansa] C:\WINDOWS\System32\lsansa.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Click on Fix Checked when finished and exit HijackThis.


Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

If you were unable to find any of the files then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes. Let the system reboot.
C:\WINDOWS\System32\lsansa.exe
c:\windows\system32\slqvfd.exe
C:\WINDOWS\dlmax.dll
C:\Program Files\E2G\IeBHOs.dll
C:\WINDOWS\farmmext.exe
C:\WINDOWS\web\related.htm
C:\WINDOWS\svcproc.exe


Reboot as normal.

Please download, install and run this disk cleanup utility called Cleanup version 4.0!
http://downloads.ste...p/CleanUp40.exe
It will get rid of any malware which may be hiding in your temp folders ( a common hiding place). You will also regain a massive amount of disk space. Here is a tutorial which describes its usage:
http://www.bleepingc...tutorial93.html
Check the custom settings to your liking under options, but be sure to delete temporary files and temporary internet files for all user profiles. Also, cleanout the prefetch folder and the recycle bin.
Reboot when prompted to let it clean out the remaining files.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#6
iceyJDP

iceyJDP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
the processes you wanted me to close in safemode were not present when i opened task manager and clicked on the processes tab!

should i carry on with your instructions or what?

by the way i'm in safemode with networking because your instructions did not specify which safemode to choose. regardless i'm going to ask you anyway.

Edited by iceyJDP, 16 May 2005 - 03:31 PM.

  • 0

#7
iceyJDP

iceyJDP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:38:22 PM, on 5/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\wuauclt.exe
F:\SETUP.EXE
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {98833A08-FE75-BFD2-7F42-F0C2665FF2C8} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)











Looks like i did some help but the internet access still seams broken.
my sound card is installed correctly and the driver is updated but the sound doesnt work and when i try to play the sound the program trying to run the mp3 or music wav becomes non responsive and also when i right click on my computer it only shows the ram i have, does not show the processor speed although it says it is installed and working properly it also appears on dxdiag but does not show up in "my computer" properties. it wont do any updates or anything it still says ''the core system file (kernel) used to start this computer is not a microsoft windows file. so yeah maybe there is more cleaning up to do any stuff, just wanted to tell you all these things were happening before i did what you told me but it seems the aurora popups and the randomnar file (6digits or so process) in the task manager are not present anything so i think we have done some progress but i still think there is alot to be done :tazz:

Edited by iceyJDP, 16 May 2005 - 08:05 PM.

  • 0

#8
iceyJDP

iceyJDP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Panda nor TrendMicro would let me scan, first off panda needed internet explorer to be run but i use Mozilla firefox for obvious reasons and then i tried trendmicro and it considered my browser a netscape browser and took me to a link to download a setup so this is just the log from the ewido security suite looks like it couldnt remove quite a few things! here it is


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:57:35 PM, 5/16/2005
+ Report-Checksum: BCB6BEA3

+ Date of database: 5/17/2005
+ Version of scan engine: v3.0

+ Duration: 71 min
+ Scanned Files: 57183
+ Speed: 13.37 Files/Second
+ Infected files: 125
+ Removed files: 64
+ Files put in quarantine: 64
+ Files that could not be opened: 0
+ Files that could not be cleaned: 60

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\
E:\
C:\WINDOWS

+ Scan result:
C:\Documents and Settings\Jonn\My Documents\Cookies\jonn@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jonn\My Documents\Cookies\jonn@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jonn\My Documents\Cookies\jonn@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Jonn\My Documents\Cookies\jonn@geocities[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\HiJackThis\backups\backup-20050516-184818-398.dll -> Spyware.DlMax.a -> Ignored
C:\WINDOWS\bsx32\ADTMI1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ADVC5.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ADVCTX2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIB9894.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIC29667.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASID12180.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIE17070.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIF29819.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIF4502.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIFWH29233.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIG21943.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIGT10102.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIH7853.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASII21469.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIL18549.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIOG19375.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIOT25456.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIPF1965.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIR21184.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIRE20082.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIS24110.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIS31590.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIT17011.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIT26116.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIW11211.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\ASIWS3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\BID1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\CARD2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\CARS3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\DATE4.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\EML1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\FAST1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\FINC3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\FINC5.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\FLWR1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\HERBS1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\INK1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\JOBS4.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\MOVS2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\NEWS2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\SHOP2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\SPEC1.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\TECH2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\TVEN2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\UTONE2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\WWW3.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\bsx32\XTFL2.bsx -> Spyware.BookedSpace -> Cleaned with backup
C:\WINDOWS\dgkukxkeq.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Cleaned with backup
C:\WINDOWS\systb.exe -> Trojan.Imiserv.c -> Cleaned with backup
C:\WINDOWS\system32\atmsdl.exe -> TrojanSpy.VB.eh -> Cleaned with backup
C:\WINDOWS\system32\k404SearchSetup_MS14.exe -> Spyware.404Search.a -> Cleaned with backup
C:\WINDOWS\system32\msdmsr.exe -> TrojanSpy.VB.eh -> Cleaned with backup
C:\WINDOWS\system32\skytown.exe -> TrojanSpy.VB.eh -> Cleaned with backup
C:\WINDOWS\system32\SplWbr.dll -> TrojanDropper.Small.sf -> Cleaned with backup
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Cleaned with backup
C:\WINDOWS\bsx32\ADTMI1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ADVC5.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ADVCTX2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIB9894.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIC29667.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASID12180.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIE17070.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIF29819.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIF4502.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIFWH29233.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIG21943.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIGT10102.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIH7853.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASII21469.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIL18549.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIOG19375.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIOT25456.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIPF1965.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIR21184.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIRE20082.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIS24110.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIS31590.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIT17011.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIT26116.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIW11211.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\ASIWS3.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\BID1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\BingoRoom1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\CARD2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\CARS3.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\DATE4.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\EML1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\FAST1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\FINC3.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\FINC5.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\FLWR1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\HERBS1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\INK1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\JOBS4.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\MOVS2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\NEWS2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\SHOP2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\SPEC1.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\TECH2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\TVEN2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\UTONE2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\WWW3.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\bsx32\XTFL2.bsx -> Spyware.BookedSpace -> Error during cleaning
C:\WINDOWS\dgkukxkeq.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\systb.dll -> Spyware.ImiBar.d -> Error during cleaning
C:\WINDOWS\systb.exe -> Trojan.Imiserv.c -> Error during cleaning
C:\WINDOWS\system32\atmsdl.exe -> TrojanSpy.VB.eh -> Error during cleaning
C:\WINDOWS\system32\k404SearchSetup_MS14.exe -> Spyware.404Search.a -> Error during cleaning
C:\WINDOWS\system32\msdmsr.exe -> TrojanSpy.VB.eh -> Error during cleaning
C:\WINDOWS\system32\skytown.exe -> TrojanSpy.VB.eh -> Error during cleaning
C:\WINDOWS\system32\SplWbr.dll -> TrojanDropper.Small.sf -> Error during cleaning
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\wupdt.exe -> TrojanDownloader.Intexp.c -> Error during cleaning


::Report End
  • 0

#9
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi iceyJDP

safemode<--Yes
safemode with networking<--No
safemode with command prompt<--No

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\bsx32\ADTMI1.bsx
C:\WINDOWS\bsx32\ADVC5.bsx
C:\WINDOWS\bsx32\ADVCTX2.bsx
C:\WINDOWS\bsx32\ASIB9894.bsx
C:\WINDOWS\bsx32\ASIC29667.bsx
C:\WINDOWS\bsx32\ASID12180.bsx
C:\WINDOWS\bsx32\ASIE17070.bsx
C:\WINDOWS\bsx32\ASIF29819.bsx
C:\WINDOWS\bsx32\ASIF4502.bsx
C:\WINDOWS\bsx32\ASIFWH29233.bsx
C:\WINDOWS\bsx32\ASIG21943.bsx
C:\WINDOWS\bsx32\ASIGT10102.bsx
C:\WINDOWS\bsx32\ASIH7853.bsx
C:\WINDOWS\bsx32\ASII21469.bsx
C:\WINDOWS\bsx32\ASIL18549.bsx
C:\WINDOWS\bsx32\ASIOG19375.bsx
C:\WINDOWS\bsx32\ASIOT25456.bsx
C:\WINDOWS\bsx32\ASIPF1965.bsx
C:\WINDOWS\bsx32\ASIR21184.bsx
C:\WINDOWS\bsx32\ASIRE20082.bsx
C:\WINDOWS\bsx32\ASIS24110.bsx
C:\WINDOWS\bsx32\ASIS31590.bsx
C:\WINDOWS\bsx32\ASIT17011.bsx
C:\WINDOWS\bsx32\ASIT26116.bsx
C:\WINDOWS\bsx32\ASIW11211.bsx
C:\WINDOWS\bsx32\ASIWS3.bsx
C:\WINDOWS\bsx32\BID1.bsx
C:\WINDOWS\bsx32\BingoRoom1.bsx
C:\WINDOWS\bsx32\CARD2.bsx
C:\WINDOWS\bsx32\CARS3.bsx
C:\WINDOWS\bsx32\DATE4.bsx
C:\WINDOWS\bsx32\EECH1.bsx
C:\WINDOWS\bsx32\EML1.bsx
C:\WINDOWS\bsx32\FAST1.bsx
C:\WINDOWS\bsx32\FINC3.bsx
C:\WINDOWS\bsx32\FINC5.bsx
C:\WINDOWS\bsx32\FLWR1.bsx
C:\WINDOWS\bsx32\HERBS1.bsx
C:\WINDOWS\bsx32\INK1.bsx
C:\WINDOWS\bsx32\JOBS4.bsx
C:\WINDOWS\bsx32\MOVS2.bsx
C:\WINDOWS\bsx32\NEWS2.bsx
C:\WINDOWS\bsx32\SHOP2.bsx
C:\WINDOWS\bsx32\SPEC1.bsx
C:\WINDOWS\bsx32\SPZ3.bsx
C:\WINDOWS\bsx32\TECH2.bsx
C:\WINDOWS\bsx32\TVEN2.bsx
C:\WINDOWS\bsx32\UTONE2.bsx
C:\WINDOWS\bsx32\WWW3.bsx
C:\WINDOWS\bsx32\XTFL2.bsx
C:\WINDOWS\dgkukxkeq.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\systb.exe
C:\WINDOWS\system32\atmsdl.exe
C:\WINDOWS\system32\k404SearchSetup_MS14.exe
C:\WINDOWS\system32\msdmsr.exe
C:\WINDOWS\system32\skytown.exe
C:\WINDOWS\system32\SplWbr.dll
C:\WINDOWS\wupdsnff.exe
C:\WINDOWS\wupdt.exe

Reboot into normal mode.

C:\WINDOWS\bsx32<--Delete the whole folder

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Please run the following free, online virus scans.
http://www.ravantivirus.com/scan/
Please post the logs From virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#10
iceyJDP

iceyJDP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:37:26 PM, on 5/17/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c.../search/ie.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {98833A08-FE75-BFD2-7F42-F0C2665FF2C8} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)


http://www.ravantivirus.com/ will not let me scan a whole folder or diskdrive unless i'm running internet explorer but my internet explorer is still not working although moxilla firefox and other things are working fine it will only let me scan one file at a time which i know you did not intend me to do. Above is my hijackthislog.


EDIT: IT Seems like my internet explorer suddenly started working and i think the LSP is fixed but there are still some problems with some of the microsoft software and some system recognition, also my sound had stopped working a month or two ago and now when i try to install the new drivers for it and stuff it shows that it is working properly but it does not convert to sound when i try to run a mp3 the program trying to run the mp3 becomes nonresponsive, I'm also going to give the online scan a shot. by the way when i try to do the express from the microsoft site to keep my computer up to date and virus free, the service packs just do not install it will download then will say ''failed!''

EDIT, Internet explorer is working fine, and i finally got my sound, it seems the Windows Audio was disabled so i had to enable it. anyway i figured out that one on my own but there is still a error when i open WMP saying ''An internal application error has occured.

Edited by iceyJDP, 17 May 2005 - 08:49 PM.

  • 0

Advertisements


#11
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi

Please read through the instructions before you start (you may want to print this out).

Please download and install these programs - don't run them yet!!

Trojan remover tool 1

Kaspersky Worm Removal Tool tool 2

sphjfix tool 3

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Reboot into Safe Mode: Click here if you don't know how to do this.

Run tool 1 Ewido save the log post the log with your next post.

Run tool 2 Kaspersky Worm Removal Tool save the log post the log with your next post.

Run tool 3 sphjfix save the log post the log with your next post.

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure all are checked and then press *ok* to remove:

Reboot as normal

It still may not work but lets try.
Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#12
iceyJDP

iceyJDP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
i could not download Tool two
http://downloads1.ka...clrav/clrav.zip
Kaspersky worm remover because your link did not work anyway i cleaned out the prefetch and deleted all the files in it then ran diskcleanup ''cleanmgr''

booted into safemode ran scan with ewido security suite

Log here




--------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:55:13 PM, 5/18/2005
+ Report-Checksum: 81B85EAF

+ Date of database: 5/18/2005
+ Version of scan engine: v3.0

+ Duration: 57 min
+ Scanned Files: 49744
+ Speed: 14.42 Files/Second
+ Infected files: 2
+ Removed files: 2
+ Files put in quarantine: 2
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
D:\

+ Scan result:
C:\Documents and Settings\Jon\Cookies\jon@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\HiJackThis\backups\backup-20050516-184818-398.dll -> Spyware.DlMax.a -> Cleaned with backup


::Report End









Ran SPSeHjFix
Log here:



(5/18/05 5:58:08 PM) SPSeHjFix started v1.1.2
(5/18/05 5:58:08 PM) OS: WinXP (5.1.2600)
(5/18/05 5:58:08 PM) Language: english
(5/18/05 5:58:08 PM) Win-Path: C:\WINDOWS
(5/18/05 5:58:08 PM) System-Path: C:\WINDOWS\System32
(5/18/05 5:58:08 PM) Temp-Path: C:\DOCUME~1\Jon\LOCALS~1\Temp\


(5/18/05 6:55:49 PM) SPSeHjFix started v1.1.2
(5/18/05 6:55:49 PM) OS: WinXP (5.1.2600)
(5/18/05 6:55:49 PM) Language: english
(5/18/05 6:55:49 PM) Win-Path: C:\WINDOWS
(5/18/05 6:55:49 PM) System-Path: C:\WINDOWS\System32
(5/18/05 6:55:49 PM) Temp-Path: C:\DOCUME~1\Jon\LOCALS~1\Temp\
(5/18/05 6:55:50 PM) Disinfection started
(5/18/05 6:55:50 PM) Bad-Dll(IEP): (not found)
(5/18/05 6:55:50 PM) Bad-Dll(IEP) in BHO: (not found)
(5/18/05 6:55:50 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/18/05 6:55:50 PM) UBF: 4 - UBB: 1 - UBR: 2
(5/18/05 6:55:50 PM) Bad IE-pages:
deleted: HKCU\Software\Microsoft\Internet Explorer\Main, Search Page:
deleted: HKLM\Software\Microsoft\Internet Explorer\Main, Search Page:
(5/18/05 6:55:50 PM) Stealth-String not found
(5/18/05 6:55:50 PM) Not infected->END



New Hijackthis Log


Logfile of HijackThis v1.99.1
Scan saved at 7:30:56 PM, on 5/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Ares Lite Edition\Ares.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {98833A08-FE75-BFD2-7F42-F0C2665FF2C8} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: www.miniclip.com
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)



IT SEEMS MY PREFETCH FOLDER IS FULL OF MORE FILES, I JUST CHECKED IT AND THERE ARE STILL FILES IN IT
  • 0

#13
iceyJDP

iceyJDP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
ehh new hijackthis log


Logfile of HijackThis v1.99.1
Scan saved at 9:44:06 PM, on 5/18/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\taskmgr.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {98833A08-FE75-BFD2-7F42-F0C2665FF2C8} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [trmxadhss] C:\WINDOWS\System32\bpqtft.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [rxmxdzi] C:\WINDOWS\System32\bpqtft.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [PC Booster] C:\Program Files\inKline Global\PC Booster\pcbooster.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mexswxggtz] C:\WINDOWS\System32\bpqtft.exe
O4 - HKLM\..\Run: [looodwsgnn] C:\WINDOWS\System32\bpqtft.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [bpqtft] c:\windows\system32\bpqtft.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [prgtect] C:\WINDOWS\System32\prgtect.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [intfat32] C:\WINDOWS\System32\intfat32.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O15 - Trusted Zone: www.miniclip.com
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Panda ActiveScan 5.03.00 LOG


Incident Status Location

Adware:Adware/Gator No disinfected C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Date Manager.lnk
Adware:Adware/Gator No disinfected C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\GStartup.lnk
Adware:Adware/Gator No disinfected C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\PrecisionTime.lnk
Spyware:Spyware/New.net No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\Program Files\TimeSync
Adware:Adware/IEPlugin No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/Gator No disinfected C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Date Manager.lnk
Adware:Adware/Gator No disinfected C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\GStartup.lnk
Adware:Adware/Gator No disinfected C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\PrecisionTime.lnk
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006235.dll
Adware:Adware/SAHAgent No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006236.dll
Spyware:Spyware/New.net No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006239.dll
Spyware:Spyware/New.net No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006240.dll
Adware:Adware/QuickSearch No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006241.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006242.exe
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0007268.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0007269.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0007270.exe
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0007274.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0007275.dll
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP38\A0009227.exe
Adware:Adware/Gator No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP38\A0009230.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018090.lnk
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018091.lnk
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018092.lnk
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018093.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018094.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018095.exe
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018097.dll
Adware:Adware/eZula No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018103.exe
Adware:Adware/KeenValue No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018105.exe
Adware:Adware/KeenValue No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018106.exe
Adware:Adware/KeenValue No disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018107.exe
Virus:Trj/Downloader.IA Disinfected C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018108.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\farmmext.ini
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller_cme.log
Adware:Adware/Gator No disinfected C:\WINDOWS\GatorUninstaller_cme_u.log
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\kfrnvc.exe
Adware:Adware/Megasearch No disinfected C:\WINDOWS\system32\MegasearchBarSetup.dll
Virus:Trj/Downloader.CHU Disinfected C:\WINDOWS\system32\SHAgentNew.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll

Edited by iceyJDP, 18 May 2005 - 11:17 PM.

  • 0

#14
Guest_thatman_*

Guest_thatman_*
  • Guest
Hi iceyJDP

The folowing malware in Is in your system restore
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006235.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006236.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006239.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006240.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006241.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0006242.exe
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0007268.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0007269.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0007270.exe
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0007274.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP2\A0007275.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP38\A0009227.exe
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP38\A0009230.exe
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018090.lnk
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018091.lnk
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018092.lnk
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018093.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018094.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018095.exe
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018097.dll
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018103.exe
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018105.exe
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018106.exe
C:\System Volume Information\_restore{1788D871-1C3D-40CB-A28D-E28327542DB4}\RP60\A0018107.exe




Using Windows Explorer delete the following files if present:
C:\Program Files\TimeSync<--Delete the whole folder

Download Pocket Killbox and unzip it; save it to your Desktop.
Run killbox and click the radio button that says Delete a file on reboot.
Copy and Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in where upon you should answer Yes.
Let the system reboot.
C:\WINDOWS\farmmext.ini
C:\WINDOWS\GatorUninstaller_cme.log
C:\WINDOWS\GatorUninstaller_cme_u.log
C:\WINDOWS\inf\dlmax.inf
C:\WINDOWS\inf\farmmext.inf
C:\WINDOWS\kfrnvc.exe
C:\WINDOWS\system32\MegasearchBarSetup.dll
C:\WINDOWS\system32\xmlparse.dll
C:\WINDOWS\system32\xmltok.dll
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Date Manager.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\GStartup.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\PrecisionTime.lnk
C:\WINDOWS\inf\dlmax.inf
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\Date Manager.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\GStartup.lnk
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\PrecisionTime.lnk

Reboot as normal

Turn of system restore
Disabling or enabling Windows XP System Restore
WIndows ME
Defrag your hard drive. Turn system restore back on and create a new restore point.

Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#15
iceyJDP

iceyJDP

    Member

  • Topic Starter
  • Member
  • PipPip
  • 38 posts
Logfile of HijackThis v1.99.1
Scan saved at 11:05:58 PM, on 5/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\dmremote.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Error Nuker\bin\ErrorNuker.exe
C:\Program Files\Ares Lite Edition\Ares.exe
C:\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {98833A08-FE75-BFD2-7F42-F0C2665FF2C8} - (no file)
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKLM\..\Run: [conscorr] C:\WINDOWS\conscorr.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [prgtect] C:\WINDOWS\System32\prgtect.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [intfat32] C:\WINDOWS\System32\intfat32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivi...n/ravonline.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Just a question should i download error nuker and run it and let it fix my registry?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP