Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Red circle with white cross


  • Please log in to reply

#1
digicraft63

digicraft63

    Member

  • Member
  • PipPip
  • 20 posts
Hello!
I have this red circle with a white cross in my taskbar. If I move the cursor over it it says "Your computer is infected".

I have read solutions of this problem from other threads but it looks like the problem is caused by diferent reasons. None of the solutions where aplicable to my problem.

The circle came together with the Azesearch and AntivirusGold terror. I got rid of both of them but the the circle stays. It is anoying. Can anybody help out. Here is the log.

Logfile of HijackThis v1.99.1
Scan saved at 11:54:16, on 2005-06-03
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\runservice.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\M-Audio USB Quattro\Install\QuatInst.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Ahead\InCD\InCD.exe
C:\Program\Messenger Plus! 3\MsgPlus.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\hookdump.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program\M-Audio USB Quattro\QuatTask.exe
C:\Program\Java\jre1.5.0_02\bin\javaw.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
E:\Programs&installs\Anti spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.expressen.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TomcatStartup] C:\Program\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [GChelper] c:\Program Files\Group Calendar\GChelper.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program\M-Audio USB Quattro\QuatTask.exe
O4 - Startup: Maya 6 helpserver.lnk = C:\Program\Alias\Maya6.0\docs\helpserver.jar
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4320FDC8-37CC-4474-A0C0-AA9E303E8912}: NameServer = 192.168.2.100,81.26.228.3
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program\Ahead\InCD\InCDsrv.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi digicraft63 and Welcome to Geeks to Go!!!

In order to nail this infection down I am going to need to get some more Info from you!

A couple of tools I wasnt you to run should provide most of the Info I need!

Please Download Billsway Reg Search tool
http://www.billsway.com/vbspage/

Scroll down the page
and download the "Registry Search Tool"

Unzip RegSrch.zip to the desktop

Double click on RegSrch.vbs

If you get a warning from your Anti Virus please ignore it and allow this to run.

When it starts, you will be prompted to enter a search phrase.

For the First Search please enter hookdump.exe

Save that Report

Next Search enter AntivirusGold

Save the Report

Last Search enter Azesearch

Save the Resport!

Now Click Start>>Click Run>>Enter the Bold Text Below and Click OK!

regedit /e c:\key.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components"


Please make sure all the Text was entered before click OK!


Now,I need you to search your system for a few entries!

Open the Search Assistant (Click Start>>Click Search)
Select All Files and Folders,
Select Advanced Options,
Make sure there is a check by these 3:

Search System Folders
Search hidden files and folders
Search Subfolders


Now under All Files and Folders,Search the System for these

hookdump.exe

AntivirusGold

Azesearch


I know it seems like alot of useless work but in the end I think it will speed up the process!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>OK>>Follow the Prompts to Restart!!

Please post back with all the Reports and a fresh HijackThis log!
  • 0

#3
digicraft63

digicraft63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thank you this far.

The was no report of instances of azesearch using RegSrch.vbs, but for the other two. I am attaching the reports

Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 15:49:56, on 2005-06-04
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\runservice.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\M-Audio USB Quattro\Install\QuatInst.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Ahead\InCD\InCD.exe
C:\Program\Messenger Plus! 3\MsgPlus.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\WINDOWS\system32\hookdump.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program\M-Audio USB Quattro\QuatTask.exe
C:\Program\Java\jre1.5.0_02\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Programs&installs\Anti spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.expressen.se/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TomcatStartup] C:\Program\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [GChelper] c:\Program Files\Group Calendar\GChelper.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program\M-Audio USB Quattro\QuatTask.exe
O4 - Startup: Maya 6 helpserver.lnk = C:\Program\Alias\Maya6.0\docs\helpserver.jar
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4320FDC8-37CC-4474-A0C0-AA9E303E8912}: NameServer = 192.168.2.100,81.26.228.3
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program\Ahead\InCD\InCDsrv.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

Attached Files


  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry I missed part of my instructions!

Locate c:\key.txt and post those results as well!

What about the System search for those names?
  • 0

#5
digicraft63

digicraft63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks again and for that you guys are existing.

I suspected you wanted some more results. I didn´t make sense to me to do the regedit and the system search without handle over the results, but since you are the experts in these terrorist matters I didn´t dare to question your procedure.

Now it makes a lot more sence to me and you have also given me a hint of a new way of comunicating with the registry editor :-)

I did find some hits on the system search and here they are:

HOOKDUMP.EXE-3410C464.pf C:\WINDOWS\Prefetch
hookdump.exe C:\WINDOWS\system32

azesearch4.ocx C\WINDOWS\System32

ANTIVIRUSGOLD.EXE-195AABB6.pf C:\WINDOWS\Prefetch

Attached Files

  • Attached File  key.txt   2.77KB   108 downloads

  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry it has taken me so long to get back to you,I got called out on buisness!

Please use the link below to make a backup of the entire registry!
http://service1.syma...c_nam#_Section2

Download the Registry File I have attached to get all the entries that have been added!!

Unzip it but dont use it yet,just make the backup of your registry before you go any further!

Please download these 3 programs,All these are a plus to any PC for thorough Cleanings!

Download Ewido Security Suite, install then from within the program check for updates BUT dont scan yet
Ewido Security Suite:
http://www.ewido.net/en/download/

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
We will fix this in a moment.

From the main Ewido screen, Click on Update in the left menu, then click the Start Update button.

After the Update finishes (the status bar at the bottom will display "Update successful"), Now close the program.

If you have problems updating see here
http://www.ewido.net...wnload/updates/

AdawareSE 1.06
http://www.bleepingc...showtutorial=48

The link will tell you how to Install>Update>Configure and Scan!

CleanUp! 4.0
http://downloads.ste...p/CleanUp40.exe

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

Locate and Delete

C:\WINDOWS\system32\iasada.dll<< File!

C:\WINDOWS\system32\hookdump.exe<< File!

C:\WINDOWS\screen.html<< File!

C:\Program\AntiVirusGold<< Folder!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O2 - BHO: AddressBar Class - {f65b197f-8260-4d52-909a-f70118e646eb} - C:\WINDOWS\system32\iasada.dll

O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe

O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.co...wnload/cult.cab

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab

O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab

O16 - DPF: {D7BF3304-138B-4DD5-86EE-491BB6A2286C} -

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Locate the Reg file you downloaded earlier and Double Click to Execute it!

Allow it to merge into the Registry!

Scan the System with Ewido and Save a Report!

Scan With Ad Aware Remove all it finds and Delete the Quaratine Files!

Run CleanUp and Allow it to Restart the PC when its done!

Restart Normal and have the PC Scanned here
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work!

Save the Report it generates!

Post back with the Reports from Ewido>>Panda and a fresh HijackThis log!

Attached Files


  • 0

#7
digicraft63

digicraft63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello again
I have followed all the listed steps but I run in to an error when I tried to run your regedit script "ClrReg.reg". It says something like (translated from Swedish):

CrlReg.reg could not be imported. The selected file is not a registry script. You can only import binary registry files from within the Registry Editor.

I tried that to but it didn´t make a difference.

Anyway after the reboot the problem with the red circle seems to be gone. But It might be some scraples left i presume?
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
See if this one works better!!

After that lets see the results from Panda and a fresh HijackThis log!

Attached Files


  • 0

#9
digicraft63

digicraft63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hello!

I have been busy for a couple of days.

The new ClrReg.reg worked.
It has been used.

Meanwhile it looks like I got hijacked by mysearch, so now I have to get rid of that.

Here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 21:40:39, on 2005-06-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\runservice.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\M-Audio USB Quattro\Install\QuatInst.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Ahead\InCD\InCD.exe
C:\Program\Messenger Plus! 3\MsgPlus.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Internet Explorer\iexplore.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
c:\program\intern~1\iexplore.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\M-Audio USB Quattro\QuatTask.exe
C:\Program\Java\jre1.5.0_02\bin\javaw.exe
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nixxahkssetvz...Wr9BiY5rBQ.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mpbaeqqaa...qOY5IhBs0is.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0BAE8503-286B-D230-6074-35E402816411} - C:\DOCUME~1\Hasse\APPLIC~1\MEMONE~1\gram wave.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TomcatStartup] C:\Program\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"
O4 - HKLM\..\Run: [meowbenddefaultlong] C:\Documents and Settings\All Users\Application Data\shim start meow bend\chincurb.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [GChelper] c:\Program Files\Group Calendar\GChelper.exe
O4 - HKCU\..\Run: [pingeach] C:\DOCUME~1\Hasse\APPLIC~1\JUMPDA~1\Tons Bat Funk.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program\M-Audio USB Quattro\QuatTask.exe
O4 - Startup: Maya 6 helpserver.lnk = C:\Program\Alias\Maya6.0\docs\helpserver.jar
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4320FDC8-37CC-4474-A0C0-AA9E303E8912}: NameServer = 192.168.2.100,81.26.228.3
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program\Ahead\InCD\InCDsrv.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Do you know what this is:
C:\Program\Alias\Maya6.0\docs\helpserver.jar

Go to Add\Remove Programs and Remove Messanger Plus! 3,Be Sure to follow all the directions to properly remove it!

Download rkfiles.zip and unzip it to its own permanent folder but dont run it yet!
http://skads.org/special/rkfiles.zip

Update Ad Aware and Ewido!!!!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders,this must be done after restarting in Safe Mode!!

Here is a link to help with that
http://www.bleepingc...showtutorial=62

Be sure to follow the directions that apply to your Operating System!

From the Unzipped rkfiles.zip,Locate the rkfiles.bat file and double-click it to run it!

It will take some time to complete,please wait until the DOS window closes before proceeding!

Once its complete,Locate and Delete these

C:\Documents and Settings\All Users\Application Data\shim start meow bend<< Folder!

C:\Documents and Settings\Hasse\Application Data\MEMONE~1<< Folder!,Unsure of Entire Name!

C:\Documents and Settings\Hasse\Application Data\JUMPDA~1<< Folder!,Unsure of Entire Name!

Now Scan With Ewido and Save the Log!

Scan With Ad Aware and Remove all it Finds,delete quaraine files!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://nixxahkssetvz...Wr9BiY5rBQ.html

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mpbaeqqaa...qOY5IhBs0is.cgi

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {0BAE8503-286B-D230-6074-35E402816411} - C:\DOCUME~1\Hasse\APPLIC~1\MEMONE~1\gram wave.exe

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"

O4 - HKLM\..\Run: [meowbenddefaultlong] C:\Documents and Settings\All Users\Application Data\shim start meow bend\chincurb.exe

O4 - HKCU\..\Run: [pingeach] C:\DOCUME~1\Hasse\APPLIC~1\JUMPDA~1\Tons Bat Funk.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Restart Normal and Have the PC Scanned here
http://www.kaspersky...oduct=161744315

Once Completed,Locate and post C:\log.txt the results from Ewido and a fresh HijackThis Log!
  • 0

Advertisements


#11
digicraft63

digicraft63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
[quote name='Cretemonster' date='Jun 9 2005, 10:06 PM']
Do you know what this is:
C:\Program\Alias\Maya6.0\docs\helpserver.jar

- It is the java-based help system to Maya 6 that need to be started before using it.

The scary thing about this is that it takes seconds to get the parasites in to the system but hours to get rid of it.

I´ll get to your instructions as soon as possible. Thanks for the job your doing. I´ll be back.
  • 0

#12
digicraft63

digicraft63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi!

Update Ad Aware and Ewido!!!!¨

- There were no updates availible.


C:\Documents and Settings\Hasse\Application Data\MEMONE~1<< Folder!,Unsure of Entire Name!

- The folder didn´t contain anything, but I deleted it.

C:\Documents and Settings\Hasse\Application Data\JUMPDA~1<< Folder!,Unsure of Entire Name!

- That folder didn´t exist.


O2 - BHO: (no name) - {0BAE8503-286B-D230-6074-35E402816411} - C:\DOCUME~1\Hasse\APPLIC~1\MEMONE~1\gram wave.exe

- Didn´t exist

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program\Messenger Plus! 3\MsgPlus.exe"

- Didn´t exist

O4 - HKLM\..\Run: [meowbenddefaultlong] C:\Documents and Settings\All Users\Application Data\shim start meow bend\chincurb.exe

- Didn´t exist

O4 - HKCU\..\Run: [pingeach] C:\DOCUME~1\Hasse\APPLIC~1\JUMPDA~1\Tons Bat Funk.exe

- Didn´t exist.


Restart Normal and Have the PC Scanned here
http://www.kaspersky...oduct=161744315

- Took 12 hours to complete! Amazing...Found some viruses though that I deleted.

I am attaching the rkfiles log.txt
and the Ewido log

Logfile of HijackThis v1.99.1
Scan saved at 16:28:38, on 2005-06-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\runservice.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\M-Audio USB Quattro\Install\QuatInst.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program\Ahead\InCD\InCD.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe
C:\Program\Delade filer\CMEII\CMESys.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Delade filer\GMT\GMT.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\M-Audio USB Quattro\QuatTask.exe
C:\Program\Java\jre1.5.0_02\bin\javaw.exe
C:\Anti spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.expressen.se/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TomcatStartup] C:\Program\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"
O4 - HKLM\..\Run: [CMESys] "C:\Program\Delade filer\CMEII\CMESys.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [GChelper] c:\Program Files\Group Calendar\GChelper.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program\M-Audio USB Quattro\QuatTask.exe
O4 - Startup: Maya 6 helpserver.lnk = C:\Program\Alias\Maya6.0\docs\helpserver.jar
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4320FDC8-37CC-4474-A0C0-AA9E303E8912}: NameServer = 192.168.2.100,81.26.228.3
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program\Ahead\InCD\InCDsrv.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

Attached Files


  • 0

#13
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
First and Foremost,we need to find out about these Ip Addresses and How you Internet Access is set up!

192.168.2.100=192.168.0.0 - 192.168.255.255
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA
US

81.26.228.3= 81.26.228.0 - 81.26.228.255
BOSTREAM-SERVER-NET3 STOCKHOLM
Bostream AB
Kungsbron 21
S-111 22 Stockholm
Sweden

I suggest calling your Internet Provider and Checking out those Numbers!

Please let me know what you find out!!!

Download remv3.zip
http://forums.skads....ype=post&id=118

Please download this to the C:\ Drive>> Unzip and Extract All Files but dont run it yet!

The files Kaspersky found,were they located in the System Volume folder?

Here is some Info that Might help you understand what is running around in there!

C:\WINDOWS\system32\vbskpro2.ocx<< From RKFiles

http://www.sophos.co...rojflowbya.html

Hopefully Kaspersky got the main Dropper that was Reinfecting you!

Go to Safe Mode>>Be sure Windows is Showing Hidden Files

Locate and Delete

C:\WINDOWS\system32\vbskpro2.ocx<< File

C:\Program\Delade filer\CMEII<< Folder

C:\Program\Delade filer\GMT<< Folder

Please let me know if any of these were not deleted!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [CMESys] "C:\Program\Delade filer\CMEII\CMESys.exe"

O4 - Global Startup: GStartup.lnk = C:\Program\Delade filer\GMT\GMT.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!!

Now open the folder where you saved remv3.zip files and double click the rem.bat file and let it run. It will delete the files and remove the infection and then make a log of the files it finds. The log file will be C:\log.txt and bad1.txt

Restart Normal and Post th log from Remv3 and a fresh hijackthis log!

Let me know what you find out about the IP Addresses!
  • 0

#14
digicraft63

digicraft63

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Hi.

[quote name='Cretemonster' date='Jun 12 2005, 08:45 PM']
First and Foremost,we need to find out about these Ip Addresses and How you Internet Access is set up!

192.168.2.100=192.168.0.0 - 192.168.255.255
Internet Assigned Numbers Authority
4676 Admiralty Way, Suite 330
Marina del Rey, CA
US

- That is the one of the "false" adresses on my subnet behind a router computer.

81.26.228.3= 81.26.228.0 - 81.26.228.255
BOSTREAM-SERVER-NET3 STOCKHOLM
Bostream AB
Kungsbron 21
S-111 22 Stockholm
Sweden

- That is my real IP-adress that is shown on the internet and the one the router have.-


The files Kaspersky found,were they located in the System Volume folder?

- No


Hopefully Kaspersky got the main Dropper that was Reinfecting you!

- Let´s hope so


Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 15:52:49, on 2005-06-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
C:\Program\Delade filer\Symantec Shared\ccProxy.exe
C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
C:\Program\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\runservice.exe
C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program\M-Audio USB Quattro\Install\QuatInst.exe
C:\WINDOWS\system32\Smartscaps.exe
C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Symantec Shared\ccApp.exe
C:\Program\Java\jre1.5.0_02\bin\jusched.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program\QuickTime\qttask.exe
C:\Program\Ahead\InCD\InCD.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Messenger\msmsgs.exe
C:\Program\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program\SmartTrust\SmartTrust Personal\Csp\SmartCertmover.exe
C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program\WinZip\WZQKPICK.EXE
C:\Program\M-Audio USB Quattro\QuatTask.exe
C:\Program\Java\jre1.5.0_02\bin\javaw.exe
C:\Anti spyware\HijackThis.exe
C:\WINDOWS\System32\dllhost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.expressen.se/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program\Delade filer\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program\MSN Apps\MSN Toolbar\01.02.4000.1001\sv\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program\Delade filer\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [TomcatStartup] C:\Program\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\Program\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [StatusClient] C:\Program\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [msnappau] "C:\Program\MSN Apps\Updater\01.03.0000.1005\sv\msnappau.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "c:\program\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [GChelper] c:\Program Files\Group Calendar\GChelper.exe
O4 - Startup: M-Audio Quattro Control Panel Launcher.lnk = C:\Program\M-Audio USB Quattro\QuatTask.exe
O4 - Startup: Maya 6 helpserver.lnk = C:\Program\Alias\Maya6.0\docs\helpserver.jar
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Certificate Mover.lnk = ?
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....ta/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec..../ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4320FDC8-37CC-4474-A0C0-AA9E303E8912}: NameServer = 192.168.2.100,81.26.228.3
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program\Delade filer\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - AHEAD Software - C:\Program\Ahead\InCD\InCDsrv.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Norton AntiVirus Auto Protect-tjänst (navapsvc) - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Quattro Installer (QuattroInstallerService) - M-Audio - C:\Program\M-Audio USB Quattro\Install\QuatInst.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program\DELADE~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartTrust Smart Card Server (Smartscaps) - SmartTrust - C:\WINDOWS\system32\Smartscaps.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program\Delade filer\Symantec Shared\Security Center\SymWSC.exe

Attached Files

  • Attached File  log.txt   732bytes   122 downloads

  • 0

#15
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Thank You very much for collecting that Info for me,Thats exactly what I wanted to know,and I have to say,you seem to be the first that has been smart enough to take the steps to be sure the IP addy is right!

All looks well to me,how is it all acting now?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP