Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Desktop and IE Settings Changed by Hijacker


  • Please log in to reply

#1
ThaWacky

ThaWacky

    Member

  • Member
  • PipPip
  • 18 posts
Hello,

I recently encountered "hijacking" and have used many tools to clean out the mess it made.

However, when I go to Control Panel>Display, there are only two tabs showing (Screen Saver and Settings). I no longer have the options to change anything else on my desktop. I have temporarily changed it by directly right clicking on my desktop and picking a picture, but I would like my previous options back in the Control Panel.

The other problem is that the "Use Current" button in my IE homepage settings is disabled. One of the tools I used to fix my computer took out the "about: blank" homepage and replaced it with one I wanted, but the button is still disabled.

I'd appreciate anyones help with these issues.

Logfile of HijackThis v1.99.1
Scan saved at 7:06:08 PM, on 6/21/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi and welcome ThaWacky
A couple issues here

First,

Please right-click: HERE and go to Save As (in Internet Explorer it's "Save Target As") in order to download smitfraud reg file. Save it to your desktop.

Locate "smitfraud.reg" on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the "merged successfully" prompt

Restart your computer, You should have control of your desktop again,

Next,

If you had removed items using HJT we need to see them restored please,

To restore the backups:
  • Open HiJackThis
  • Click on "View the list of Backups"
  • Place a check mark next to everything in that window
  • Click Restore
  • Click Yes
  • Reboot your computer
  • Run HiJackThis and post a new HiJackThis log for review.
Next,

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#3
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hello don77,

Here is my HijackThis after performing steps 1 and 2. I can't do a Windows update because IE still goes to the about: blank page, even though it says that http://www.google.com is set as my homepage. Right now I'm using Firefox, and the link you provided took me to a page that said "Bad Request".


Logfile of HijackThis v1.99.1
Scan saved at 10:30:22 PM, on 6/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: VM Homepage - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpC83F.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#4
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please go here
http://www.softpedia...Pack-SP1a.shtml
Download it manually and install it,
  • 0

#5
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Done. Here is my new HijackThis log after installing the Windows Service Pack.

Logfile of HijackThis v1.99.1
Scan saved at 4:00:03 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: VM Homepage - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpC83F.tmp
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0

#6
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Thank you,
First please download from my sig CWShredder please,
Unzip some place where you can find it, Open the program, Check it for updates,
After it has updated, Be sure and click on the "Fix" button. Let the program run and fix what it finds,

Next

Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt
Move HJT into this new folder please,

Next
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


Open Ad-aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save Report
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.
Let us know if any problems persist.
  • 0

#7
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Everything was going fine until I tried to download the update to Ad-Aware. It came up with an error message that says "The downloaded definitions file could not be read, please update again." I tried it again and it said the same thing.

It currently has the 5/24/05 update but it says the latest is the 6/21/05 update, which is the one I can't get.
  • 0

#8
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
This has been happening abit lately might be a server issue

See if you can't download the manually




http://download.lava...public/defs.zip

Manual Installation: Unzip the archive, replace the existing file and restart Ad-Aware\Ad-Watch
  • 0

#9
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Another problem.

It was performing disk cleanup and stayed stuck on 4 bars of progress and "Scanning: Compress Old Files" for approximately 45 minutes. I'm not sure if thats normal, but I wanted to check. Even when I clicked on "Cancel", it kept running and I had to go into Task Manager (where it was still running at 99%) to stop it from running.
  • 0

#10
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Lets see if Cleanup! will clean it a bit quicker.
  • Go Here download and install Cleanup!
  • Open up the program and click on the cleanup button, Let it do it’s thing.
    It will ask you to reboot allow it to do so,
  • When the computer restarts it will open again and finish running, allow it to do so please,
  • Alt site if the above is not working Go Here
after running cleanup! proceed with the rest of the instructions,
  • 0

Advertisements


#11
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Good News: Got through the last parts and the reboot and IE comes up without it trying to go to the blank page.

Bad News: Panda ActiveScan doesn't allow Firefox. So I try it through IE, the component download page comes up and I fill in my information. It starts the download and asks me if I want to allow the components to install, I click yes. It sat at "Please wait for download" with the bar above filled all of the way, but nothing happened. I waited 15 minutes for the next screen and it just stayed stuck. I tried it again, same thing.
  • 0

#12
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Could you post back a fresh HJT log please,

Also you could give TrendMicro's HouseCall A try and see if it works please
  • 0

#13
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
I found out what the problem was when I tried Trend Micro's scan. I had to allow cookies in order to do both.

Here are all the logs:

HIJACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 1:37:24 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PopUp Killer\PopUpKiller.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1119860151639
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

EWIDO

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:52:09 PM, 6/25/2005
+ Report-Checksum: 608633B0

+ Date of database: 6/25/2005
+ Version of scan engine: v3.0

+ Duration: 57 min
+ Scanned Files: 88062
+ Speed: 25.65 Files/Second
+ Infected files: 1
+ Removed files: 1
+ Files put in quarantine: 1
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\WINDOWS\uninstIU.exe -> Trojan.Agent.eo -> Cleaned with backup


::Report End


PANDA ACTIVE SCAN



Incident Status Location

Adware:Adware/PortalScan No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\The Dee\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\The Dee\Favorites\online dating.url
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\tool.exe
Adware:Adware/Spywad No disinfected C:\WINDOWS\ms2.exe
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Black Jack Online.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Smitfraud No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Black Jack Online.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Home Loan.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Network Security.url
Adware:Adware/SuperSpider No disinfected C:\Documents and Settings\The Dee\Favorites\Online Dating.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\The Dee\Favorites\Online Gambling\Online Gambling.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Online Gambling.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Adipex.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Alprazolam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Carisoprodol.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Diazepam.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Hydrocodone.url
Adware:Adware/CWS No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Lortab.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Online Pharmacy.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Prozac.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Valium.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Vicodin.url
Adware:Adware/Perfect-Search No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Xanax.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Remove Spyware.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Spam Filters.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Take It Here - Free [bleep] TGP.url
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Web Detective.url
Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Inbox\E-mail account security warning.\Information.zip
Virus:W32/Bagle.pwdzip Disinfected C:\Outmail\E-mail account security warning .RB0[Information.zip]
Virus:W32/Bagle.pwdzip Disinfected Personal Folders\Inbox\E-mail account security warning.\Information.zip
Possible Virus. No disinfected C:\WINDOWS\Downloaded Installations\{D01E8C08-46DD-4143-AF15-82893DE7FCD2}\Data.Cab[F2309_Stealth.exe]
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\ms1.exe
Adware:Adware/Spywad No disinfected C:\WINDOWS\ms2.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\ms3.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\ms4.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\tool.exe

TREND MICRO HOUSECALL

Trend Micro Housecall Virus Scan0 virus cleaned, 0 virus deleted


Results:
We have detected 0 infected file(s) with 0 virus(es) on your
computer. Only 0 out of 0 infected files are displayed:
- 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 0 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected FileAssociated Virus NameAction Taken




Trojan/Worm Check0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed: - 0 worm(s)/Trojan(s) passed, 0
worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s)
undeletable
Trojan/Worm NameTrojan/Worm TypeAction Taken




Spyware Check2 spyware programs removed

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 5 spyware(s) on your computer. Only 0 out of
0 spywares are displayed: - 3 spyware(s) passed, 0
spyware(s) no action available
- 2 spyware(s) removed, 0 spyware(s) unremovable
Spyware NameSpyware TypeAction Taken
COOKIE_169CookiePass
COOKIE_174CookiePass
SPYW_ZANIT.ASpywareRemoval successful
ADW_SHOPNAV.DAdwareRemoval successful
COOKIE_3201CookiePass

Microsoft Vulnerability Check28 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 28 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
Highly CriticalThis vulnerability enables a remote
attacker to execute any file that can be rendered
as text, and be opened as part of a page in
Internet Explorer. MS03-014
Highly CriticalThese vulnerabilities, which are
due to Internet Explorer not properly determining
an object type returned from a Web server in a
popup window or during XML data binding,
respectively, could allow an attacker to run
arbitrary code on a user's system. MS03-040
CriticalThis vulnerability could allow an attacker
to access information from other Web sites, access
files on a user's system, and run arbitrary code
on a user's system, wherein this is executed under
the security context of the currently logged on
user.;This vulnerability could allow an attacker
to save a file on the users system. This is due to
dynamic HTML events related to the drag-and-drop
of Internet Explorer.;This vulnerability, which is
due to the incorrect parsing of URLs which contain
special characters, could allow an attacker to
trick a user by presenting one URL in the address
bar, wherein it actually contains the content of
another web site of the attackers choice.
MS04-004
CriticalThe MHTML URL Processing Vulnerability
allows remote attackers to bypass domain
restrictions and execute arbitrary code via script
in a compiled help (CHM) file that references the
InfoTech Storage (ITS) protocol handlers.This
could allow an attacker to take complete control
of an affected system. MS04-013
ModerateA denial of service (DoS) vulnerability
exists in Outlook Express that could cause the
said program to fail. The malformed email should
be removed before restarting Outlook Express in
order to regain its normal operation. MS04-018
CriticalThe Navigation Method Cross-Domain
Vulnerability is a remote execution vulnerability
that exists in Internet Explorer because of the
way that it handles navigation methods. An
attacker could exploit this vulnerability by
constructing a malicious Web page that could
potentially allow remote code execution if a user
visits a malicious Web site.;The Malformed BMP
File Buffer Overrun Vulnerability exists in the
processing of BMP image file formats that could
allow remote code execution on an affected
system.;The Malformed GIF File Double Free
Vulnerability is a buffer overrun vulnerability
that exists in the processing of GIF image file
formats that could allow remote code execution on
an affected system. MS04-025
CriticalThis is a remote code execution
vulnerability that exists in the Internet
Explorer. It allows remote code execution on an
affected system. An attacker could exploit this
vulnerability by constructing a malicious Web
Page. The said routine could allow remote code
execution if a user visited a malicious Web site.
An attacker who successfully exploited this
vulnerability could take complete control of an
affected system. However, significant user
interaction is required to exploit this
vulnerability. MS04-038
CriticalThis security update addresses and
resolves a vulnerability in Internet Explorer that
could allow remote code execution. A Web page can
be crafted to exploit this vulnerability such that
an arbitrary application can be executed on
visiting systems with the same priviledge as the
currently logged on user. MS04-040
ImportantThis security advisory explains the two
discovered vulnerabilities in Microsoft Word for
Windows 6.0 Converter, which is used by WordPad in
converting Word 6.0 to WordPad file format. Once
exploited, this remote code execution
vulnerability could allow a malicious user or a
malware to take complete control of the affected
system if the affected user is currently logged on
with administrative privileges. MS04-041
CriticalA remote code execution vulnerability
exists in HyperTerminal because of a buffer
overrun. If a user is logged on with administrator
privileges, an attacker could exploit the
vulnerability by constructing a malicious
HyperTerminal session file that could potentially
allow remote code execution and then persuade a
user to open this file. This malicious file may
enable the attacker to gain complete control of
the affected system. This vulnerability could also
be exploited through a malicious Telnet URL if
HyperTerminal had been set as the default Telnet
client. MS04-043
ImportantThis security update addresses and
resolves two windows vulnerabilites, both of which
may enable the current user to take control of the
affected system. Both of these vulnerabilites
require that the curernt user be able to log on
locally and execute programs. They cannot be
exploited remotely, or by anonymous users. A
privilege elevation vulnerability exists in the
way that the Windows Kernel launches applications.
This vulnerability could allow the current user to
take complete control of the system. A privilege
elevation vulnerability exists in the way that the
LSASS validates identity tokens. This
vulnerability could allow the current user to take
complete control of the affected system. MS04-044
CriticalThis update resolves a newly-discovered,
publicly reported vulnerability. A vulnerability
exists in the HTML Help ActiveX control in Windows
that could allow information disclosure or remote
code execution on an affected system. MS05-001
CriticalThis update resolves several
newly-discovered, privately reported and public
vulnerabilities. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system,
install programs, view, change, or delete data, or
create new accounts that have full privileges.
MS05-002
ImportantThis update resolves a newly-discovered,
privately reported vulnerability. An attacker who
successfully exploited this vulnerability could
take complete control of an affected system. An
attacker could then install programs, view,
change, or delete data, or create new accounts
with full privileges. While remote code execution
is possible, an attack would most likely result in
a denial of service condition. MS05-003
ImportantThis is an information disclosure
vulnerability. An attacker who successfully
exploits this vulnerability could remotely read
the user names for users who have an open
connection to an available shared resource.
MS05-007
ImportantThis remote code execution vulnerability
exists in the way Windows handles drag-and-drop
events. An attacker could exploit the
vulnerability by constructing a malicious Web page
that could potentially allow an attacker to save a
file on the users system if a user visited a
malicious Web site or viewed a malicious e-mail
message. MS05-008
CriticalThis remote code execution vulnerability
exists in the processing of PNG image formats. An
attacker who successfully exploits this
vulnerability could take complete control of an
affected system. MS05-009
CriticalThis remote code execution vulnerability
exists in Server Message Block (SMB). It allows an
attacker who successfully exploits this
vulnerability to take complete control of the
affected system. MS05-011
CriticalThis privilege elevation vulnerability
exists in the way that the affected operating
systems and programs access memory when they
process COM structured storage files. This
vulnerability could grant a currently logged-on
user to take complete control of the system.;This
remote code execution vulnerability exists in OLE
because of the way that it handles input
validation. An attacker could exploit the
vulnerability by constructing a malicious document
that could potentially allow remote code
execution. MS05-012
CriticalThis vulnerability exists in the DHTML
Editing Component ActiveX Control. This
vulnerability could allow information disclosure
or remote code execution on an affected system.
MS05-013
CriticalThis update resolves known vulnerabilities
affecting Internet Explorer. An attacker who
successfully exploits these vulnerabilities could
take complete control of an affected system. An
attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. MS05-014
CriticalA remote code execution vulnerability
exists in the Hyperlink Object Library. This
problem exists because of an unchecked buffer
while handling hyperlinks. An attacker could
exploit the vulnerability by constructing a
malicious hyperlink which could potentially lead
to remote code execution if a user clicks a
malicious link within a Web site or e-mail
message. MS05-015
ImportantA remote code execution vulnerability
exists in the Windows Shell because of the way
that it handles application association. If a user
is logged on with administrative privileges, an
attacker who successfully exploited this
vulnerability could take complete control of the
affected system. However, user interaction is
required to exploit this vulnerability. MS05-016
ImportantA remote code execution vulnerability
exists in Message Queuing that could allow an
attacker who successfully exploited this
vulnerability to take complete control of the
affected system. MS05-017
ImportantThis security bulletin resolves
newly-discovered, privately-reported
vulnerabilities affecting Windows. An attacker who
successfully exploited the most severe of these
vulnerabilities could take complete control of an
affected system. An attacker could then install
programs; view, change, or delete data; or create
new accounts with full user rights. MS05-018
CriticalThis security bulletin resolves newly
discovered, privately-reported vulnerabilities
affecting Windows. An attacker who successfully
exploited the most severe of these vulnerabilities
could take complete control of an affected system.
An attacker could then install programs; view,
change, or delete data; or create new accounts
with full user rights. However, an attacker who
successfully exploited the most severe of these
vulnerabilities would most likely cause the
affected system to stop responding. MS05-019
CriticalThis security bulletin resolves three
newly-discovered, privately-reported
vulnerabilities affecting Internet Explorer. If a
user is logged on with administrative user rights,
an attacker who successfully exploited any of
these vulnerabilities could take complete control
of an affected system. An attacker could then
install programs; view, change, or delete data; or
create new accounts with full user rights.
MS05-020
CriticalA remote code execution vulnerability
exists in MSN Messenger that could allow an
attacker who successfully exploited this
vulnerable to take complete control of the
affected system. MS05-022
  • 0

#14
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Hi ThaWacky, sorry for the delay in response,
Need you to do a couple things,
  • Close all programs leaving only HijackThis running. Place a check against each of the following:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1


    Click on Fix Checked when finished and exit HijackThis.



    *Please open notepad and save these instructions, Name it something you will remember
    *Click Here to download Killbox by Option^Explicit.
    *Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
    *In the killbox program, select the Delete on Reboot option.
    *Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

     C:\WINDOWS\ms1.exe 
     C:\WINDOWS\ms2.exe 
     C:\WINDOWS\ms3.exe 
     C:\WINDOWS\ms4.exe 
     C:\WINDOWS\tool.exe 
    C:\Documents and Settings\The Dee\Favorites\Online Gambling\Online Gambling.url 
    C:\Documents and Settings\The Dee\Favorites\online dating.url 
    C:\Documents and Settings\The Dee\Favorites\Black Jack Online.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Adipex.url 
    C:\Documents and Settings\The Dee\Favorites\Black Jack Online.url 
    C:\Documents and Settings\The Dee\Favorites\Home Loan.url 
    C:\Documents and Settings\The Dee\Favorites\Network Security.url 
    C:\Documents and Settings\The Dee\Favorites\Online Dating.url 
    C:\Documents and Settings\The Dee\Favorites\Online Gambling\Online Gambling.url 
    C:\Documents and Settings\The Dee\Favorites\Online Gambling.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Adipex.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Alprazolam.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Carisoprodol.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Diazepam.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Hydrocodone.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Lortab.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Online Pharmacy.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Prozac.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Valium.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Vicodin.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy\Xanax.url 
    C:\Documents and Settings\The Dee\Favorites\Online Pharmacy.url 
    C:\Documents and Settings\The Dee\Favorites\Remove Spyware.url 
    C:\Documents and Settings\The Dee\Favorites\Spam Filters.url 
    C:\Documents and Settings\The Dee\Favorites\Take It Here - Free [bleep] TGP.url 
    C:\Documents and Settings\The Dee\Favorites\Web Detective.url  

    *Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
    *Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
Run another scan with Active post back what it finds
Post back a fresh HijackThis log and we will take another look.
  • 0

#15
ThaWacky

ThaWacky

    Member

  • Topic Starter
  • Member
  • PipPip
  • 18 posts
Hey don77,

Here are my recent logs.

PANDA ACTIVE SCAN LOG

Incident Status Location

Adware:Adware/PortalScan No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\The Dee\Favorites\Online Pharmacy
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Take It Here - Free [bleep] TGP.url
Adware:Adware/Smitfraud No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\Documents and Settings\The Dee\Favorites\Take It Here - Free [bleep] TGP.url
Possible Virus. No disinfected C:\WINDOWS\Downloaded Installations\{D01E8C08-46DD-4143-AF15-82893DE7FCD2}\Data.Cab[F2309_Stealth.exe]



HIJACKTHIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 12:00:21 AM, on 7/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\The Dee\Desktop\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PopUpKiller] C:\Program Files\PopUp Killer\PopUpKiller.EXE
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1119860151639
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.ex
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP