[ikbod]

hiya there, my first time posting, have completed ALL steps outlined above, and here is the hijack this log, nb, i use a program called autoruns to prevent all the antivirus progs from starting up except avg

any help MUCH appreciated!!

Logfile of HijackThis v1.99.1
Scan saved at 19:04:52, on 21/05/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\HHVcdV5Sys\VC5SecS.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Raxco\PerfectDisk\PDSched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\HHVcdV5Sys\VC5Play.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Virtual CD v5\System\VC5Tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOWNLOADS\PROGRAMS\HIJACKTHIS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [BypmI] C:\winnt\temp\BypmI.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [VC5Player] C:\Program Files\HHVcdV5Sys\VC5Play.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Researcher - {9455301C-CF6B-11D3-A266-00C04F689C50} - C:\Program Files\Common Files\Microsoft Shared\Encarta Researcher\EROProj.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zone...ctor/WebAAS.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1636B4B5-6B35-4EE0-8C7F-78E3F69AB018}: NameServer = 80.225.254.178 80.225.254.186
O17 - HKLM\System\CS1\Services\Tcpip\..\{1636B4B5-6B35-4EE0-8C7F-78E3F69AB018}: NameServer = 80.225.254.178 80.225.254.186
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PDScheduler (PDSched) - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDSched.exe
O23 - Service: Virtual CD v5 Security service (VC5SecS) - H+H Software GmbH - C:\Program Files\HHVcdV5Sys\VC5SecS.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

[Advertisements]

Hello ikbod and welcome to GeeksToGo.

Step 1
We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

• Open Microsoft AntiSpyware.
• Click on Tools, Settings.
• In the left pane, click on Real-time Protection.
• Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
• Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
• After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
• Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.


Step 2
Open HijackThis, run a scan, then check the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [BypmI] C:\winnt\temp\BypmI.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe

With all other programs and browsers closed, click fix checked.


Step 3
Download and run Stinger

• Download Stinger and save it to your desktop.
• Reboot into safe mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').
• Double-click on s-t-i-n-g-e-r.exe to open the tool.
• Choose your entire hard drive to scan.
• Choose Scan Now.
• Stinger will fix anything that it finds.

Step 4
Please set your computer to show all files.

• Double-click My Computer.
• Click the Tools menu, and then click Folder Options.
• Click the View tab.
• Clear "Hide file extensions for known file types."
• Under the "Hidden files" folder, select "Show hidden files and folders."
• Clear "Hide protected operating system files."
• Click Apply, and then click OK.

You will need to reverse this process when all steps are done.


Step 5
Download CCleaner from here to clean temp files from your computer.

• Double click on the file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click next to use the default install location. Click Install then finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
• Click Run Cleaner to run the program.
• Caution : It is not recommended to use the 'Issues' tab as it is known to find legitimate items.
• After it has completed it's process, click Exit.

Step 6
Please delete the following files/folders:
You'll need to search for these files with Explorer to delete. They may be in C:\WINDOWS\system32\ or C:\WINDOWS\
(Start > Search > All files and folders > More advanced options place a check in the first three boxes)

slserves.exe

If you have any problem deleting these files, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.


Step 7
Reboot normally and scan with HijackThis. Post the new log as a reply to this thread.
Please let us know of any complications you had and how the computer is behaving.

[alsocom]

Hello ikbod and welcome to GeeksToGo.

Step 1
We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

• Open Microsoft AntiSpyware.
• Click on Tools, Settings.
• In the left pane, click on Real-time Protection.
• Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
• Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
• After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
• Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.


Step 2
Open HijackThis, run a scan, then check the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [BypmI] C:\winnt\temp\BypmI.exe
O4 - HKLM\..\RunServices: [NAV Auto Updates] slserves.exe
O4 - HKCU\..\Run: [NAV Auto Updates] slserves.exe

With all other programs and browsers closed, click fix checked.


Step 3
Download and run Stinger

• Download Stinger and save it to your desktop.
• Reboot into safe mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter').
• Double-click on s-t-i-n-g-e-r.exe to open the tool.
• Choose your entire hard drive to scan.
• Choose Scan Now.
• Stinger will fix anything that it finds.

Step 4
Please set your computer to show all files.

• Double-click My Computer.
• Click the Tools menu, and then click Folder Options.
• Click the View tab.
• Clear "Hide file extensions for known file types."
• Under the "Hidden files" folder, select "Show hidden files and folders."
• Clear "Hide protected operating system files."
• Click Apply, and then click OK.

You will need to reverse this process when all steps are done.


Step 5
Download CCleaner from here to clean temp files from your computer.

• Double click on the file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click next to use the default install location. Click Install then finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
• Click Run Cleaner to run the program.
• Caution : It is not recommended to use the 'Issues' tab as it is known to find legitimate items.
• After it has completed it's process, click Exit.

Step 6
Please delete the following files/folders:
You'll need to search for these files with Explorer to delete. They may be in C:\WINDOWS\system32\ or C:\WINDOWS\
(Start > Search > All files and folders > More advanced options place a check in the first three boxes)

slserves.exe

If you have any problem deleting these files, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.


Step 7
Reboot normally and scan with HijackThis. Post the new log as a reply to this thread.
Please let us know of any complications you had and how the computer is behaving.

[Kat]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.