Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Cannot Change Desktop [RESOLVED]


  • This topic is locked This topic is locked

#1
skillfarmer

skillfarmer

    New Member

  • Member
  • Pip
  • 7 posts
Any help will be appreciated. I cannot change my desktop background. I have recently installed ewido security suite and it has killed every thing on my computer except a trojan umm cant remember the name, downloadsomething that seems to be generating random #'ed exe files in my windows\system directory (1245.exe 66582.exe etc)

heres the log

Logfile of HijackThis v1.99.1
Scan saved at 8:15:02 PM, on 6/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\United Devices\ud_7174683.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jenny Robinson\Desktop\HijackThis.exe
C:\DOCUMENTS AND SETTINGS\JENNY ROBINSON\DESKTOP\HijackThis-1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - _{D7CD08F0-D691-11D8-9669-0800200C9A66} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [dumbos do format] C:\Program Files\ddf\ddfbeta4-3-2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downlo...ESS_1058_XP.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

again, any heop is appreciated
  • 0

Advertisements


#2
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi skillfarmer and welcome to GeeksToGo! My name is Excal and I will be helping you.

I apologize for the delay getting to your log, the helpers here are very busy.
If you still need help, please post a fresh Hijack log so I can help you with your Malware Problems.

If you have resolved this issue please let us know.

:tazz:

Excal
  • 0

#3
skillfarmer

skillfarmer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok! Thanks for the response. I understand you guys can be kept very busy! Heres an updated hijack this log file. I took action into my own hands and started deleting some of the entries I knew were associated with spyware programs like EDGACCESS something and a weather.exe file that quite possibly could have been the problem. I would still appreciate you browsing thru the log file to see if there is anything I have missed as my computers performance is still sub-par.

ogfile of HijackThis v1.99.1
Scan saved at 8:48:16 AM, on 6/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\United Devices\ud_7657531.exe
C:\Program Files\United Devices\ud_7657531_0.dir\WCGrid_Rosetta.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Jenny Robinson\Desktop\HijackThis-1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - _{D7CD08F0-D691-11D8-9669-0800200C9A66} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKCU\..\Run: [dumbos do format] C:\Program Files\ddf\ddfbeta4-3-2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by skillfarmer, 29 June 2005 - 07:51 AM.

  • 0

#4
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi skillfarmer and welcome to GeeksToGo! My name is Excal and I will be helping you.

I took action into my own hands and started deleting some of the entries


When you say that, what do you mean by deleting. Did you check them off and "fix" them on Hijack this, or did you go into explorer and delete them there?
Also, do you have your desktop back?

Please let me know, and for the time being, please do not delete anything else. I know your well meaning, but sometimes you can Hide something that I need to see to properly identyfy the infections you have.


Thanks,

:tazz:

Excal
  • 0

#5
skillfarmer

skillfarmer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I understand. I just "fixed" w/ desktop hijack a few of the entries, I will look at an old log file i posted and tell you which ones.

O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess
O16 - DPF: {BFC9677B-8006-4336-9D49-2C797AEFCB9E} - http://akamai.downlo...ESS_1058_XP.cab

Those were the ones I deleted. I followed someone else's desktop recovery information and created a .reg file to fix my registry after deleting the desktop.html file...anyway, that problem is fixed. After deleting those three items up there, i have not had any more msgs from Ewido Security telling me that 123432.exe or 1343.exe or whatever other randomly generated .exe file for trojandownloader.small.als is attempting to do something.

Is there any others there that need to go? Or any furthur steps i need to take to clean the two program's entries i removed? I understand that I should not have done anything before you gave me advice. I just, at that point this morning, figured i was not going to get any advice so i started doin things myself :tazz: Woops. I'll run ewido again here in an hour or so and get back to you with results. Until then, the desktop hijack log i posed most recently was just done this morning after I "fixed" those items w/ hijack this.
  • 0

#6
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Hi skillfarmer and welcome to GeeksToGo! My name is Excal and I will be helping you.

I can see that you have some malware issues. This maybe a few step process in removing it. I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further.

I noticed that your HiJackthis.exe is located on your desktop, make sure to save HijackThis in its own folder (i.e. C:\HJT). This is very important, so HiJackThis can save backups!

the only reason i was putting fix in quotation marks is that in most cases its not fixing anything. For example:
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGDACCESS_1058.dll,InstantAccess


these 2 entries you took out are indeed bad, but you only stopped them from starting up *maybe The files also have to go. The good thing is you knew which ones you took out, so all is good (thank you for that) ;)

In this fix, some of the file/program or folders may not be there, thats fine, just move onto the next one :tazz:

I am not familiar with this program(it appears to be in beta) can you verify that you have installed it, or know that its suppose to be here:[dumbos do format] C:\Program Files\ddf\ddfbeta4-3-2.exe

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.


DOWNLOAD PROGRAMS

Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!


THE FIX

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HiJackThis and place a checkmark next to each of the following items:
===================================================
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - _{D7CD08F0-D691-11D8-9669-0800200C9A66} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O8 - Extra context menu item: &Search the Web - C:\WINDOWS\Web\Ers_src.htm


Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Daily Weather Forecast
PSGuard
SpySheriff
Viewpointmgr


Please remove the following folders using Windows Explorer (if present):

C:\Program Files\Daily Weather Forecast
C:\Program Files\PSGuard
C:\Program Files\SpySheriff
C:\Program Files\Viewpoint


Please remove just the files from the following paths using Windows Explorer (if present):

C:\WINDOWS\Web\Ers_src.htm
EGDACCESS_1058.dll <======Use start>search for this


===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.


Open Ad-aware and do a full scan. Remove all it finds.


Now open Ewido Security Suite
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save Report
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply.

Let us know how your computer is running ;)

Edited by Excal, 29 June 2005 - 10:21 AM.

  • 0

#7
skillfarmer

skillfarmer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Sorry to have bailed on you excal. I did not realize the scans would take so long and had to leave for vacation during the middle of the process :tazz:. I am back and will give it a go tonight after i get off of work.
  • 0

#8
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
No Problem, hope you enjoyed your vacation :tazz:
  • 0

#9
skillfarmer

skillfarmer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Ok looks like we didnt get all of it :tazz:

Heres the panda scan

Incident Status Location

Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Adware:Adware/StatBlaster No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\Program Files\DelFin
Adware:Adware/SideSearch No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Spyware:Spyware/ISTbar No disinfected C:\RECYCLER\S-1-5-21-3942531886-2154702590-596957751-500\Dc1\weather.exe
Virus:Trj/Iconz.A Disinfected C:\WINDOWS\iconz.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\INF\bi8.inf
Adware:Adware/SideSearch No disinfected C:\WINDOWS\sepsd.bin
Adware:Adware/KeenValue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM32\ezPopStub.exe

heres the ewido log

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:49:03 PM, 7/8/2005
+ Report-Checksum: 479B2810

+ Scan result:

C:\dnetc\dnetc.com -> Not-A-Virus.Tool.DNet.l : Ignored
HKLM\SOFTWARE\Classes\Interface\{370F6327-41C4-4FA6-A2DF-1BA57EE0FBB9} -> Spyware.eZula : Cleaned without backup
HKLM\SOFTWARE\Classes\Interface\{EFA52460-8822-4191-BA38-FACDD2007910} -> Spyware.eZula : Cleaned without backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\AUI -> Spyware.WebSearch : Cleaned without backup
:mozilla.13:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Xxxcounter : Cleaned without backup
:mozilla.17:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Paycounter : Cleaned without backup
:mozilla.33:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.34:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.35:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.36:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.37:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.38:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.40:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.43:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.44:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.45:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.46:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.47:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.48:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.49:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.50:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.51:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.52:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.53:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.54:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.55:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.56:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.57:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.58:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.59:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.60:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.61:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.62:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.63:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.64:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.65:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.66:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.67:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.68:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.69:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.70:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.71:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.72:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.73:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.74:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.75:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.76:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.77:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.78:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.79:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.80:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.81:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.82:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.83:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.84:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.85:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.86:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.87:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.88:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.89:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.90:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.91:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned without backup
:mozilla.92:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.93:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Advertising : Cleaned without backup
:mozilla.94:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Sextracker : Cleaned without backup
:mozilla.95:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Sextracker : Cleaned without backup
:mozilla.104:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned without backup
:mozilla.160:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned without backup
:mozilla.165:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.166:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.167:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.168:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.169:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned without backup
:mozilla.170:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.171:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Adserver : Cleaned without backup
:mozilla.172:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.173:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.179:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.180:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.181:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.182:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned without backup
:mozilla.195:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.196:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.197:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.198:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned without backup
:mozilla.201:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned without backup
:mozilla.205:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Overture : Cleaned without backup
:mozilla.208:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Xxxtoolbar : Cleaned without backup
:mozilla.210:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Spylog : Cleaned without backup
:mozilla.225:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.2o7 : Cleaned without backup
:mozilla.262:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.264:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.266:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.284:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
:mozilla.285:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned without backup
:mozilla.292:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned without backup
:mozilla.293:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
:mozilla.294:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned without backup
:mozilla.295:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.296:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.297:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.298:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned without backup
:mozilla.303:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned without backup
:mozilla.315:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned without backup
:mozilla.316:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned without backup
:mozilla.317:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned without backup
:mozilla.324:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.325:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.326:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.327:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned without backup
:mozilla.367:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned without backup
:mozilla.368:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Linksynergy : Cleaned without backup
:mozilla.374:C:\Documents and Settings\Jenny Robinson\Application Data\Mozilla\Firefox\Profiles\default.hpl\cookies.txt -> Spyware.Cookie.Coremetrics : Cleaned without backup


::Report End

and heres the hijak

Logfile of HijackThis v1.99.1
Scan saved at 5:06:54 PM, on 7/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\United Devices\ud_7174683.exe
C:\Program Files\United Devices\ud_7174683_0.dir\ud_ligfit_Release.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Jenny Robinson\Desktop\HijackThis-1.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [dumbos do format] C:\Program Files\ddf\ddfbeta4-3-2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\valve\steam\steam.exe" -silent
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_42.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#10
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
actually it looks very good :tazz:

Malware always leaves some leftovers, and all we have to do is clean them up ;)

How is your desktop, have u been able to regain control over it?

Just a few random bad files and folders to clean up.

Please remove the following folders using Windows Explorer (if present):

C:\Program Files\DelFin
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "Delete File on Reboot"
  • Navigate to this file - C:\WINDOWS\iconz.exe
  • Double click on that file.
  • HJT asks you if you want to reboot, now. Click "no".

    Do that for the following files also, until you get to the last one, then click "yes" when HJT asks you to reboot.

C:\WINDOWS\system32\ezPopStub.exe
C:\GatorPatch.log
C:\WINDOWS\system32\drivers\etc\hosts.bho
C:\RECYCLER\S-1-5-21-3942531886-2154702590-596957751-500\Dc1\weather.exe
C:\WINDOWS\INF\bi8.inf
C:\WINDOWS\sepsd.bin


Post back when you finish and tell me how your computer is running ;)


I am not familiar with this program(it appears to be in beta) can you verify that you have installed it, or know that its suppose to be here:[dumbos do format] C:\Program Files\ddf\ddfbeta4-3-2.exe
  • 0

#11
skillfarmer

skillfarmer

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
will do what you asked and post back tomorrow (goin to bed now) ddf is a legitimate program
  • 0

#12
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Sounds good :tazz:



Excal
  • 0

#13
Excal

Excal

    Malware Slayer Extraordinaire!

  • Retired Staff
  • 12,739 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP