Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Help - I've tried everything! [RESOLVED]

Started by jasemike77 , Jun 11 2005 06:54 AM

  • This topic is locked This topic is locked

#1
jasemike77
Posted 11 June 2005 - 06:54 AM

jasemike77

    New Member

  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 7:49:24 AM, on 6/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\nmmshlex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system\sxxvml.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nlhvid.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jason Michael Paulin\Desktop\HijackThis.exe

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\system32\ps1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitecoc32.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Sysnet] C:\Documents and Settings\Jason Michael Paulin\snuninst.exe
O4 - HKLM\..\Run: [7F3X3mg] nmmshlex.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mos7RgMmi] nlhvid.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [ookk] C:\PROGRA~1\COMMON~1\ookk\ookkm.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jptech-indy.us
O17 - HKLM\Software\..\Telephony: DomainName = jptech-indy.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jptech-indy.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jptech-indy.us
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Please help! THanks!
  • 0

Advertisements

#2
loophole
Posted 12 June 2005 - 09:05 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello jasemike77 :tazz:

You have some malware issues,lets get you fixed up

Download LQfix here
save it to your desktop, please do not use yet

Please downloadAdAware.
Update Adaware
Close Adaware,we will use it later.

Download and install CleanUp! Here dont use yet

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O4 - HKLM\..\Run: [PS1] C:\WINDOWS\system32\ps1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitecoc32.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [Sysnet] C:\Documents and Settings\Jason Michael Paulin\snuninst.exe
O4 - HKLM\..\Run: [7F3X3mg] nmmshlex.exe
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [sac] c:\program files\180searchassistant\sac.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [ookk] C:\PROGRA~1\COMMON~1\ookk\ookkm.exe
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O16 - DPF: {FA9740A2-5802-42E2-B509-81186EEB3C42} (WABControl Class) - https://www.linkedin...cab/wabctrl.cab

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Show Hidden Files and Folders (if needed)
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Run the LQfix from your desktop

Please uninstall the following(if present) Click Start>>>control panel>>>add/remove
VirtualBouncer
180searchassistant
sf (surf enhance)

Using windows explorer( right click start, left click explore)
Search for and delete these files and folders (If found)

C:\WINDOWS\system32\ps1.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\nmmshlex.exe
C:\WINDOWS\system\sxxvml.exe
C:\WINDOWS\system32\nlhvid.exe
c:\program files\180searchassistant
C:\Program Files\sf
C:\WINDOWS\sfita.exe
C:\temp\stubinstaller6480.exe"
C:\WINDOWS\cfgmgr52.dll
C:\Program Files\common files\ookk

run cleanup!

scan with Adaware let it fix anything it finds

Reboot your PC.

Then, run this online virus scan:
ActiveScan

Save the results from ActiveScan.

I need you to post the log from ActiveScan, and a new HiJackThis log into this topic.
  • 0

#3
jasemike77
Posted 14 June 2005 - 11:23 PM

jasemike77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thanks for your assistance - I did what you said and it appears that there is still a good bit of junk on my computer. Here are the logs as you requested.

Logfile of HijackThis v1.99.1
Scan saved at 12:21:48 AM, on 6/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jason Michael Paulin\Desktop\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AutoLoader7ssd1adkddXI] "C:\WINDOWS\system32\nmmshlex.exe"
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mos7RgMmi] nlhvid.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jptech-indy.us
O17 - HKLM\Software\..\Telephony: DomainName = jptech-indy.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jptech-indy.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jptech-indy.us
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe




Incident Status Location

Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Jason Michael Paulin\Favorites\1111\1111.url
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temp\temp.frF2D4\MediaAccess.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\8HI3OD27\marketing32[1].htm
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\8HI3OD27\pcs_0006[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\8HI3OD27\webservice[2].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\8HI3OD27\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\8HI3OD27\webservice[5].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\8PQNS9U3\CAENCDQD.HTM
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\8PQNS9U3\webservice[3].htm
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\8XIFC5AF\joysaver[1].cab[m67m.inf]
Spyware:Spyware/Media-motor No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\8XIFC5AF\joysaver[1].cab[m67m.ocx]
Adware:Adware/TopConvert No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\8XIFC5AF\website[1].ocx
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\SXAN4LEB\marketing32[2].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\SXAN4LEB\webservice[3].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\W16B8TMV\marketing32[1].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\W16B8TMV\webservice[4].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\W16B8TMV\webservice[5].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Jason Michael Paulin\Local Settings\Temporary Internet Files\Content.IE5\W16B8TMV\webservice[6].htm
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\Helper101.dll
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\lmpzvtjy.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\qftprkct.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system\QBUninstaller.exe
Virus:Trj/Clicker.FV Disinfected C:\WINDOWS\system\sxxvml.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\system32\bs51-eginwl51-vb.exe
Adware:Adware/Beginto No disinfected C:\WINDOWS\system32\btnetw-ventura-hot_246765.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\Cache\cxtpls_loader.exe
Virus:Trj/Delf.EB Disinfected C:\WINDOWS\system32\Cache\HelperInstall.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\Cache\InstallAPS.exe
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\system32\Cache\optimize.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\Cache\ventura1.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\Cache\ven_d1.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\cxtpls_loader.exe
Virus:Trj/Downloader.BYZ Disinfected C:\WINDOWS\system32\dist001.exe
Adware:Adware/HuntBar No disinfected C:\WINDOWS\system32\EDow_AS2.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\HookPopup.dll
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\system32\installer_MARKETING18.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\Jtzhei.exe
Virus:Trj/Downloader.BYZ Disinfected C:\WINDOWS\system32\main.exe
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nss39F.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsv.ocx
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsvs.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\Ohnmcm.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
Spyware:Spyware/ISTbar No disinfected C:\WINDOWS\system32\tsuninst.exe
Virus:Trj/Downloader.BJG Disinfected C:\WINDOWS\system32\uci.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.008
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\winupdt.bin
Thanks for all your assistance... if you need any more info, please let me know.

Thanks
Jason
  • 0

#4
loophole
Posted 15 June 2005 - 05:11 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello Jase mike ;)

Your log looks alot better :tazz:

Lets see what Ewido can clean and then well tackle the rest

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

First:
Please download ewido security suite it is a trial version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed Reboot into safemode(continually tap the F8 key while your system is starting, select Safe Mode from the menu).Now open Ewido :
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply

Edited by loophole, 15 June 2005 - 05:12 PM.

  • 0

#5
jasemike77
Posted 16 June 2005 - 05:22 PM

jasemike77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I appear to be having some difficulties when I install the ewido security suite. After it is installed, i run it and the database message pops up, then the main console appears for a second and shuts down. I have tried uninstalling and installing again a couple times, with the same result.

Thoughts? :tazz:

THanks
Jason
  • 0

#6
loophole
Posted 16 June 2005 - 06:21 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello Jasemike ;)

no problem we will work without it ,you can uninstall Ewido if you want :tazz:

Please print out a copy of these directions

If Adaware is not up to date please update it. We will use it later

Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.

Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there.

C:\WINDOWS\Helper101.dll
C:\WINDOWS\lmpzvtjy.exe
C:\WINDOWS\qftprkct.exe
C:\WINDOWS\system\QBUninstaller.exe
C:\WINDOWS\system\sxxvml.exe
C:\WINDOWS\system32\bs51-eginwl51-vb.exe
C:\WINDOWS\system32\btnetw-ventura-hot_246765.exe
C:\WINDOWS\system32\Cache\cxtpls_loader.exe
C:\WINDOWS\system32\Cache\HelperInstall.exe
C:\WINDOWS\system32\Cache\InstallAPS.exe
C:\WINDOWS\system32\Cache\optimize.exe
C:\WINDOWS\system32\Cache\ventura1.exe
C:\WINDOWS\system32\Cache\ven_d1.exe
C:\WINDOWS\system32\cxtpls_loader.exe
C:\WINDOWS\system32\dist001.exe
C:\WINDOWS\system32\EDow_AS2.exe
C:\WINDOWS\system32\HookPopup.dll
C:\WINDOWS\system32\installer_MARKETING18.exe
C:\WINDOWS\system32\Jtzhei.exe
C:\WINDOWS\system32\main.exe
C:\WINDOWS\system32\nss39F.dll
C:\WINDOWS\system32\nsvsvc
C:\WINDOWS\system32\Ohnmcm.exe
C:\WINDOWS\system32\SSK3_B5 Seedcorn 4.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\uci.exe
C:\WINDOWS\system32\winupdt.008
C:\WINDOWS\system32\winupdt.bin
C:\WINDOWS\system32\nmmshlex.exe
C:\WINDOWS\system32\nlhvid.exe

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES. (You will be rebooting into safemode)

safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).

Run cleanup If it ask you to reboot click no

Scan with Adaware let it fix anything it finds (please note anything it could not fix)

reboot you pc and run this online virus scan again:
ActiveScan

Copy the results of the ActiveScan and paste them here with a new hijack log

thanks
  • 0

#7
jasemike77
Posted 16 June 2005 - 09:26 PM

jasemike77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:25:09 PM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jason Michael Paulin\Desktop\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AutoLoader7ssd1adkddXI] "C:\WINDOWS\system32\nmmshlex.exe"
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Mos7RgMmi] nlhvid.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jptech-indy.us
O17 - HKLM\Software\..\Telephony: DomainName = jptech-indy.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jptech-indy.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jptech-indy.us
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Incident Status Location

Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Jason Michael Paulin\Favorites\1111\1111.url
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsv.ocx
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsvs.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\vidctrl\vidctrl.exe
  • 0

#8
loophole
Posted 16 June 2005 - 10:45 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hey jasmike :tazz:

could you please do the following for me

Uninstall via Add/Remove programs: "Messenger Plus 3"
If you insist on using "Messenger Plus 3" reinstall without the "Sponsor Software"
This is not a Microsoft or MSN product! Be aware that any update to "Messenger Plus" will cause the program to prompt you to install the "Sponsor Software".

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [AutoLoader7ssd1adkddXI] "C:\WINDOWS\system32\nmmshlex.exe
O4 - HKCU\..\Run: [Mos7RgMmi] nlhvid.exe


open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there.

C:\Documents and Settings\Jason Michael Paulin\Favorites\1111
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
C:\WINDOWS\system32\ezPopStub.exe
C:\WINDOWS\system32\nsvsvc\nsv.ocx
C:\WINDOWS\system32\nsvsvc\nsvs.dll
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\WINDOWS\system32\vidctrl
C:\WINDOWS\system32\nsvsvc
C:\WINDOWS\system32\nmmshlex.exe
C:\WINDOWS\system32\nlhvid.exe

Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES.


Please post a new Hijack log and tell me how your system is running now

thanks
  • 0

#9
jasemike77
Posted 17 June 2005 - 06:08 PM

jasemike77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here you go!

Things seem to be much better - many thanks to you!!!

How does the log look?

Logfile of HijackThis v1.99.1
Scan saved at 7:07:59 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jason Michael Paulin\Desktop\HijackThis.exe

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.1.0.80\InstallStub.exe -a
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: eFax Live Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.3.lnk = C:\Program Files\eFax Messenger Plus 3.3\J2GTray.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jptech-indy.us
O17 - HKLM\Software\..\Telephony: DomainName = jptech-indy.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jptech-indy.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jptech-indy.us
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
loophole
Posted 17 June 2005 - 07:47 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hey jasemike77 ;)

That log looks good :tazz: . How is your system running now?

Please advise

Thanks
  • 0

#11
jasemike77
Posted 17 June 2005 - 11:57 PM

jasemike77

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
System is running great now!! Thanks so much for your help!

On my next pay I would like to donate for your help (in 2 weeks!). What is the appropriate amount?

Thanks again so much, you are a life saver!!!!
  • 0

#12
loophole
Posted 18 June 2005 - 12:11 AM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello jasemike77 ;)

You do whatever you wish Im just glad to see your computer is back to normal :tazz:

your system is clean

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
  • Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
Other necessary Programs:
  • AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
  • Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
  • More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.
And also see TonyKlein's good advice
So how did I get infected in the first place? and Spyware Aid's spyware article: Spyware, Adware, Malware: What it is, how it got on my computer, how to get rid of it, and how to prevent it.
  • 0

#13
loophole
Posted 28 June 2005 - 08:12 PM

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP