Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

SpySheriff, again! [RESOLVED]


  • This topic is locked This topic is locked

#1
smiddlewood

smiddlewood

    Member

  • Member
  • PipPip
  • 12 posts
hello, i have been infected with the ever more annoying spy sheriff. I shall cut to the chase, first time it arrived i came onto these forums and read up on other posts. I downloaded Ad-Aware which got rid of it. but then i couldnt change the desktop wallpapaer, as i didnt have all the tabs in the display properties menu. I then took instuctions from another post on here, as to how to add to the registry to get the tabs back. worked fine. then the box for the wallpaper selection was highlighted, so i couldnt change it, again i added to the registry from here, and that worked fine.
however, spy sheriff keeps comin back! and ad-adware zaps it when i do a full system scan, but now i cant change my wallpaper, i am able to acces the display properties, no problem, but when i make the selection for the wallpaper, and click apply, it actions it, but the wallpaper doesnt change. shall i get HiJack this and show the log, or is there another way to prevent Spysheriff coming onto my system. i have norton and ad-aware and they are fully up to date.

Any help is greatly received, sorry for the long explanation
cheers
sam
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Smiddlewood,

Can you post a Hijack This log so that we can look at it and suggest the fix ??
  • 0

#3
smiddlewood

smiddlewood

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
this log was created after i had nuked spy sheriff, again! with ad-adware, since my last post, i have been infected again, and removed again, and now i am able to change my wallpaper, main problem of the previous post. but can i protect againt Spy sheriff coming back? cheers

Logfile of HijackThis v1.99.1
Scan saved at 14:46:32, on 22/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\MyTotalSearch\bar\2.bin\MTSOEMON.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Opera75\opera.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Sam\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zsayavpzs...RDCH99CDY7.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll (file missing)
O2 - BHO: MyTotalSearch Search Assistant BHO - {00BD2861-C654-4694-A44A-98642D73247D} - C:\Program Files\MyTotalSearch\SrchAstt\2.bin\MTSSRCAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: mtsBar BHO - {094176F1-BF35-4bcb-B68A-108DFB8C3825} - C:\Program Files\MyTotalSearch\bar\2.bin\MTSBAR.DLL
O2 - BHO: (no name) - {2E0F23D6-F960-43B0-DE29-27560C44DEDA} - C:\DOCUME~1\Liz\APPLIC~1\EGGSRE~1\Translog.exe
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: (no name) - {75CCD670-64BE-47E8-8810-3CB0C8914616} - C:\DOCUME~1\Sam\APPLIC~1\EGGSRE~1\Translog.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: My &Total Search - {094176F9-BF35-4bcb-B68A-108DFB8C3825} - C:\Program Files\MyTotalSearch\bar\2.bin\MTSBAR.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Startup: MyTotalSearch Email Plugin.lnk = C:\Program Files\MyTotalSearch\bar\2.bin\MTSOEMON.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MyTotalSearch Email Plugin.lnk = C:\Program Files\MyTotalSearch\bar\2.bin\MTSOEMON.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Search - http://bar.mytotalse...earch.html?p=VS
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'xfire_lsp_8247.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A43BB0BB-18DD-4C00-A29D-6CA02AE4EACA}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\..\{A43BB0BB-18DD-4C00-A29D-6CA02AE4EACA}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi smiddlewood,

You have a bunch of infections, other than Spy Sheriff !! These other infections, including toolbars are downloading Spy Sheriff for you !!!

You are also using Limewire !!! I am not sure, if it is the latest version !! Earlier versions were bundled with malware. Read here

While sharing files using such p2p programs you could be downloading infections.

Let me work on a fix for you and revert.

Edited by tampabelle, 22 June 2005 - 07:57 AM.

  • 0

#5
smiddlewood

smiddlewood

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
ok thankyou. i have only started using limewire 6 weeks or so ago, and i dont share files, i only download, but presurambly this wont affect he spyware activity. plus with the tool bars, i cannot get rid of them although i am aware they are there. any help is greatly appreicated. cheers
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Smiddlewood,

First of all lets copy Hijack This from the temporary directory into C:\HJT, a new folder to be created. This would enable HJT to create backups, in case they are needed.

You are running instances of Translog. I presume you are familiar with this program. If you are note, then please let me know.

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall sosme programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

FixGator.exe
SSFix.exe

Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.

2. Remove Infections

Run SSFix.exe.

Run FixGator.exe.

Open Add or Remove Programs (Click on Start ---> Settings ---> Control panel. This should be the 3rd item.) Uninstall or remove the following item -

New Dot Net

Please visit this site. You should make a note of all the Gain sponsored items installed on your PC. Do not uninstall them yet, if found.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.zsayavpzs...RDCH99CDY7.html
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll (file missing)
O2 - BHO: MyTotalSearch Search Assistant BHO - {00BD2861-C654-4694-A44A-98642D73247D} - C:\Program Files\MyTotalSearch\SrchAstt\2.bin\MTSSRCAS.DLL
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: mtsBar BHO - {094176F1-BF35-4bcb-B68A-108DFB8C3825} - C:\Program Files\MyTotalSearch\bar\2.bin\MTSBAR.DLL
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O3 - Toolbar: My &Total Search - {094176F9-BF35-4bcb-B68A-108DFB8C3825} - C:\Program Files\MyTotalSearch\bar\2.bin\MTSBAR.DLL
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: MyTotalSearch Email Plugin.lnk = C:\Program Files\MyTotalSearch\bar\2.bin\MTSOEMON.EXE
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: MyTotalSearch Email Plugin.lnk = C:\Program Files\MyTotalSearch\bar\2.bin\MTSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mytotalse...earch.html?p=VS
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

4. Delete Rogue files

Open Add or Remove Programs (Click on Start ---> Settings ---> Control panel. This should be the 3rd item.) Uninstall or remove the following items -

My Way Search
MyTotalSearch
and any items identified as Gain sponsored items in Step 2


Open Windows explorer (right click on start and then click on explore). Locate and delete the following folders and files, if found -

Folders
C:\WINDOWS\System32\P2P Networking
C:\Program Files\MyTotalSearch
C:\Program Files\MyWay
C:\Program Files\NewDotNet
C:\Program Files\SpySheriff
C:\Program Files\Common Files\GMT

Files
C:\winstall.exe


please run Ewido, and run a full scan. Save the logfile from the scan.

Reboot the PC in Normal Mode.

Run Hijack This and post a fresh HJT log along with Ewido scan report.
  • 0

#7
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
lol smiddlewood,

when u download stuff, u could be downloading infections on to your PC!!!!!!!
  • 0

#8
smiddlewood

smiddlewood

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
thanks for speedy reply, i shall action this and let you know asap
cheers
  • 0

#9
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
godspeed to you
  • 0

#10
smiddlewood

smiddlewood

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
hello again, everything you suggested has been done and dusted!
heres my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 17:44:48, on 22/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Opera75\opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E0F23D6-F960-43B0-DE29-27560C44DEDA} - C:\DOCUME~1\Liz\APPLIC~1\EGGSRE~1\Translog.exe
O2 - BHO: (no name) - {75CCD670-64BE-47E8-8810-3CB0C8914616} - C:\DOCUME~1\Sam\APPLIC~1\EGGSRE~1\Translog.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_8247.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A43BB0BB-18DD-4C00-A29D-6CA02AE4EACA}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\..\{A43BB0BB-18DD-4C00-A29D-6CA02AE4EACA}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

and

eiwedo log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 17:26:01, 22/06/2005
+ Report-Checksum: FAFDF56B

+ Date of database: 22/06/2005
+ Version of scan engine: v3.0

+ Duration: 78 min
+ Scanned Files: 145156
+ Speed: 30.83 Files/Second
+ Infected files: 72
+ Removed files: 69
+ Files put in quarantine: 69
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\Liz\Cookies\liz@ad2.pamedia.com[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Liz\Cookies\liz@adopt.hotbar[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Liz\Cookies\liz@ads.guardian.co[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Liz\Cookies\liz@ads.mediaturf[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@adv.webmd[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@a[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@birmingham-city-council[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@birmingham-gov-uk[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@dcs823bm8f9xjycc5zhlpa5uv_3x9d[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@dcsb13undoifwznvvdmsn6t76_1i9s[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@dcsgop9oa6twkfk07jjqxv4eh_4w6r[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@dcss5fuiw5twkfsiurq9i0rms_9u4q[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@exitfuel[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@hotbar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@mysearchnow[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@myway[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@orbitz.rpts[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@primelocation[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@rfs[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@S005-01-5-18-247425-75682[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@S146738[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@S150312[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@S150991[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@servedbyadbutler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@ukps[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@whatcar[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@www.myaffiliateprogram[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@www.xzoomy[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Cookies\liz@xiti[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Liz\Local Settings\Temp\13048.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\Liz\Local Settings\Temp\16649.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\Liz\Local Settings\Temp\22361.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\Liz\Local Settings\Temp\28402.exe -> TrojanDownloader.Tiny.j -> Cleaned with backup
C:\Documents and Settings\Liz\Local Settings\Temp\SahUpdate\upgrade.exe -> Spyware.Sahat -> Cleaned with backup
C:\Program Files\MSN Messenger\riched20.dll -> Spyware.Wesbar -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP455\A0115719.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP458\A0116732.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP458\A0116738.exe -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP458\A0116739.dll -> Trojan.Agent.eo -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP460\A0119023.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP462\A0119410.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP462\A0119970.exe -> Spyware.EZula -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP462\A0119972.dll -> Spyware.EZula.g -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP462\A0119988.exe -> Spyware.Altnet.b -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP462\A0119989.exe -> Spyware.Altnet -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP462\A0120006.exe -> Spyware.Ezula -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP462\A0120017.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP462\A0120035.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120047.EXE -> Spyware.Wesbar -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120048.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120068.dll -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120076.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120078.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120079.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120081.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120083.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120084.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120085.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120090.EXE -> Spyware.Wesbar -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120091.DLL -> Spyware.Wesbar -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120092.DLL -> Spyware.MyWebSearch -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120094.EXE -> Spyware.MyWay.b -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120095.DLL -> Spyware.MyWay.e -> Cleaned with backup
C:\System Volume Information\_restore{A44BC186-BF53-46D6-AC08-5E512F7F5B9B}\RP463\A0120097.exe -> Not-A-Virus.Hoax.Renos.a -> Cleaned with backup
C:\WINDOWS\NDNuninstall5_48.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall5_64.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_10.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINDOWS\system32\as7ort8v.exe -> Spyware.Sahat.s -> Cleaned with backup
C:\WINDOWS\system32\emlta994.dll -> Spyware.Sahat.l -> Cleaned with backup


::Report End
  • 0

Advertisements


#11
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi smiddlewood,

Your HJT log is clean. Your Ewido log shows that some more dusting has to be done !!!!

Download
CleanUp and save it on Your PC.

Run Clean Up and delete all temp files including temporary internet files and all cookies which are stored.

Reboot the PC in Safe Mode and delete the following files, if found -

C:\WINDOWS\NDNuninstall5_48.exe
C:\WINDOWS\NDNuninstall5_64.exe
C:\WINDOWS\NDNuninstall6_10.exe
C:\WINDOWS\NDNuninstall6_22.exe
C:\WINDOWS\NDNuninstall6_30.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\system32\as7ort8v.exe
C:\WINDOWS\system32\emlta994.dll



Reboot the PC in Normal Mode and Post a fresh HJT log.
  • 0

#12
smiddlewood

smiddlewood

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
heres the latest hijack this log, did you want the ewido log as well??

Logfile of HijackThis v1.99.1
Scan saved at 19:27:07, on 22/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Apps\ActivBoard\OSD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Opera75\opera.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.freeserve.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Freeserve
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\apps\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2E0F23D6-F960-43B0-DE29-27560C44DEDA} - C:\DOCUME~1\Liz\APPLIC~1\EGGSRE~1\Translog.exe
O2 - BHO: (no name) - {75CCD670-64BE-47E8-8810-3CB0C8914616} - C:\DOCUME~1\Sam\APPLIC~1\EGGSRE~1\Translog.exe
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Freeserve - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Freeserve - res://C:\PROGRA~1\FREESE~1\FSBar\FSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_8247.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.freeserve.com/
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potd_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab28578.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab28578.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://www.smgradio....abasetup144.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A43BB0BB-18DD-4C00-A29D-6CA02AE4EACA}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{A43BB0BB-18DD-4C00-A29D-6CA02AE4EACA}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#13
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Your HJT log looks clean !!! Sure post the Ewido log. Let me have a look at it.

BTW, u r using Translog toolbar, right ??
  • 0

#14
smiddlewood

smiddlewood

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
i wouln't know what Translog toolbar is im afriad, lol, so im gonna go with a no!! to that, ill post the ewido log in due corse, is there action i can take against Translog tool bar, presumably its unwanted
  • 0

#15
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi smiddlewood,

Then lets fix that.

Run Hijack This and click on Scan.

O2 - BHO: (no name) - {2E0F23D6-F960-43B0-DE29-27560C44DEDA} - C:\DOCUME~1\Liz\APPLIC~1\EGGSRE~1\Translog.exe
O2 - BHO: (no name) - {75CCD670-64BE-47E8-8810-3CB0C8914616} - C:\DOCUME~1\Sam\APPLIC~1\EGGSRE~1\Translog.exe


Close all windows other than Hijack This and click on Fix Checked.

Reboot the PC in Safe Mode.

Locate and delete the two files -

C:\DOCUME~1\Liz\APPLIC~1\EGGSRE~1\Translog.exe
C:\DOCUME~1\Sam\APPLIC~1\EGGSRE~1\Translog.exe


Reboot the PC and post a fresh HJT log here
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP