Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Help Real Slo and Several pop ups [RESOLVED]


  • This topic is locked This topic is locked

#1
amanda6982

amanda6982

    New Member

  • Member
  • Pip
  • 7 posts
Here is my HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 8:23:08 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\mc-58-12-0000093.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\America Online 6.0\aoltray.exe
C:\Program Files\Common Files\services.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.startium.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sandboxer.....J2SRKK5#4N8FN
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - _{0199DF25-9820-4bd5-9FEE-5A765AB4371E} - (no file)
R3 - URLSearchHook: (no name) - _{0199DF25-9820-4bd5-9FEE-5A765AB4371E - (no file)
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2 - (no file)
R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ymStoreS] C:\WINDOWS\System32\ymStoreS.exe
O4 - HKLM\..\Run: [wznkic] C:\WINDOWS\System32\bveuefm.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NXFPZKV] C:\WINDOWS\NXFPZKV.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [e7fabd9f1f37] C:\WINDOWS\System32\cfgbkend.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe"
O4 - HKLM\..\Run: [Clickthebutton] C:\PROGRA~1\CLICKT~2\ctbClick.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [raschap611p.exe] "C:\WINDOWS\System32\raschap611p.exe"
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-58-12-0000093.exe
O4 - HKCU\..\Run: [Windows] windows.exe
O4 - HKCU\..\RunServices: [Windows] windows.exe
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: KeenValue.lnk = C:\Program Files\Common Files\KeenValue\keenvalue.exe
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O8 - Extra context menu item: &FastSeeker Search - res://C:\Program Files\FastSeeker\FastSeekerToolbar011203.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsear...ml?p=ZNxdm47533
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {3D9333E1-891F-4710-A563-76FE2CEAFCEA} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: http://www.neededware.com
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.shar...ver/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client-Server (nwclntserv) - Unknown owner - C:\WINDOWS\system32\srvss.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

Advertisements


#2
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello :tazz:

Sorry for the delayed response, it has been very busy lately.

If you still require help please post a new Hijack log in this
thread and I will help you. If your problem has been fixed please
respond and let us know.

Thanks
  • 0

#3
amanda6982

amanda6982

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
I have followed alot stuff on other posts on here and cleaned up alot of crap. But my system still does not seem to good. Here is my new log

Thanks
Amanda


Logfile of HijackThis v1.99.1
Scan saved at 2:07:09 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 6.0\aoltray.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client-Server (nwclntserv) - Unknown owner - C:\WINDOWS\system32\srvss.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#4
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello amanda :tazz:

Your log looks pretty good. But that doesn't mean your system is clean. Let's make sure everything is gone.

Download and install CleanUp! Here
Then run the program
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups

Then run this online virus scan:
ActiveScan

Copy the results of the ActiveScan and paste them here with a new hijack log

(if you can't run the above scan try this one Kaspersky OnLine Scan )
  • 0

#5
amanda6982

amanda6982

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here are are the logs you requested

Logfile of HijackThis v1.99.1
Scan saved at 8:39:12 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\America Online 6.0\aoltray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client-Server (nwclntserv) - Unknown owner - C:\WINDOWS\system32\srvss.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe




Incident Status Location

Virus:W32/Admincash.B Disinfected Operating system
Adware:Adware/eZula No disinfected C:\WINDOWS\System32\sysfile.dll
Adware:Adware/SaveNow No disinfected C:\WINDOWS\System32\datastore.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\System32\lw.dll
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
Adware:Adware/nCase No disinfected C:\WINDOWS\System32\FLEOK
Spyware:Spyware/Dyfuca No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\System32\SahImages
Adware:Adware/StatBlaster No disinfected Windows Registry
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\Downloaded Program Files\VBouncerOuter*.exe
Spyware:Spyware/TVMedia No disinfected C:\WINDOWS\Bundles
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\System32\pcs
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\amanda\Application Data\Lycos
Adware:Adware/IEDriver No disinfected Windows Registry
Adware:Adware/ISearch No disinfected C:\WINDOWS\isrvs
Virus:Bck/Webber.P Disinfected Operating system
Spyware:Spyware/Media-motor No disinfected Windows Registry
Adware:Adware/TopRebates No disinfected C:\WINDOWS\bundles\WebRebates*.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Media Access
Adware:Adware/InstDollars No disinfected Windows Registry
Adware:Adware/Beginto No disinfected C:\WINDOWS\System32\cache32_rtneg?
Adware:Adware/MyWebSearch No disinfected Windows Registry
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\System32\stlb2.xml
Adware:Adware/EffectiveBrandToolbarNo disinfected C:\WINDOWS\games.exe
Adware:Adware/TopConvert No disinfected Windows Registry
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\System32\Cards.ico
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/Transponder No disinfected C:\WINDOWS\inst
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\amanda\Favorites\1111\1111.url
Adware:Adware/Novo No disinfected Windows Registry
Adware:Adware/Maxifiles No disinfected C:\Program Files\MaxiFiles
Adware:Adware/Weirdontheweb No disinfected C:\WINDOWS\weirdontheweb_topc.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Administrator\My Documents\Data\Data\popinstlite.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\amanda\Favorites\1111\1111.url
Adware:Adware/Apropos No disinfected C:\Documents and Settings\amanda\My Documents\Data\Data\popinstlite.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\amanda\My Documents\Data\popinstlite.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
Adware:Adware/Gator No disinfected C:\GatorPatch.log
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Virus:W32/Sdbot.DMR.worm Disinfected C:\msgme.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\FreeProdFetch\mc-58-12-0000093.exe
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[Catcher.dll]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\Program Files\DNS\gui.exe
Adware:Adware/ExactSearch No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\1A00D449-A983-4520-A6E6-8D3643\7AF0E321-09C0-4DCF-A23D-376ED8
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\B7EE49F0-CBDA-4A59-876D-230D40\6D784135-0711-4671-BD6D-66C681
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\2504040824.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\bs5-cvuacy.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\CSV5P070.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\EDow_AS2.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\ezStub.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\icmedia_7.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\setup_silent_17123.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\Tvm_b5_269.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\VT02.exe
Adware:Adware/PortalScan No disinfected C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe
Adware:Adware/ISearch No disinfected C:\WINDOWS\delprot.ini
Adware:Adware/ISearch No disinfected C:\WINDOWS\deskbar.ini
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\Downloaded Program Files\bs5-zxlbme.exe
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\Downloaded Program Files\turbo.inf
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\Downloaded Program Files\VbouncerOuter1123030507.exe
Virus:W32/Admincash.B Disinfected C:\WINDOWS\explorer.exe
Adware:Adware/EffectiveBrandToolbarNo disinfected C:\WINDOWS\games.exe
Adware:Adware/Ucmore No disinfected C:\WINDOWS\games.exe[IUCMORE.DLL]
Adware:Adware/nCase No disinfected C:\WINDOWS\msbb.exe.temp
Virus:Trj/Zapchast.H Disinfected C:\WINDOWS\mtu.bat
Virus:W32/Admincash.B Disinfected C:\WINDOWS\ServicePackFiles\i386\explorer.exe
Virus:W32/Sdbot.ftp Disinfected C:\WINDOWS\SYSTEM32\a
Adware:Adware/IEDriver No disinfected C:\WINDOWS\SYSTEM32\asfsipc9.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\SYSTEM32\book.dll
Virus:Trj/Zapchast.D Disinfected C:\WINDOWS\SYSTEM32\c.bat
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\SYSTEM32\cards.ico
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM32\cm1.dll
Adware:Adware/SaveNow No disinfected C:\WINDOWS\SYSTEM32\datastore.dll
Virus:W32/Admincash.B Disinfected C:\WINDOWS\SYSTEM32\dllcache\explorer.exe
Adware:Adware/InstDollars No disinfected C:\WINDOWS\SYSTEM32\first.awp
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:Adware/Specofer No disinfected C:\WINDOWS\SYSTEM32\httppost.exe_
Adware:Adware/PortalScan No disinfected C:\WINDOWS\SYSTEM32\id119.exe
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\SYSTEM32\InstallerV3.exe
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\SYSTEM32\kyf.dat
Virus:Trj/Multidropper.ADZ Disinfected C:\WINDOWS\SYSTEM32\lw.dll
Virus:Trj/Multidropper.AEO Disinfected C:\WINDOWS\SYSTEM32\mcea110.dll
Virus:Exploit/Lsass.E Disinfected C:\WINDOWS\SYSTEM32\msscn32a.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\ncase.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\ncase2.dll
Spyware:Spyware/New.net No disinfected C:\WINDOWS\SYSTEM32\newnet.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM32\NLNupgradeV4_5P13.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\SYSTEM32\OMsetup.exe
Adware:Adware/InstDollars No disinfected C:\WINDOWS\SYSTEM32\second.awp
Adware:Adware/PurityScan No disinfected C:\WINDOWS\SYSTEM32\Shex.exe
Adware:Adware/SideStep No disinfected C:\WINDOWS\SYSTEM32\SideStep.exe
Adware:Adware/SideStep No disinfected C:\WINDOWS\SYSTEM32\sstep.dll
Adware:Adware/PowerSearch No disinfected C:\WINDOWS\SYSTEM32\stlb2.xml
Adware:Adware/eZula No disinfected C:\WINDOWS\SYSTEM32\sysfile.dll
Adware:Adware/MediaTickets No disinfected C:\WINDOWS\SYSTEM32\windows.html
Virus:Trj/TedapuNews.A Disinfected C:\WINDOWS\SYSTEM32\winupdt.exe
Adware:Adware/MyWay No disinfected C:\WINDOWS\SYSTEM32\Xcite.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\SYSTEM32\Xcite.exe
Adware:Adware/Weirdontheweb No disinfected C:\WINDOWS\weirdontheweb_topc.exe
Spyware:Spyware/BargainBuddy No disinfected C:\wmedia_bbi8015.exe
  • 0

#6
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello amanda6982 :tazz:

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file

Now open pocketkillbox Select the option "Delete on reboot".
Now highlight and 'copy' (Ctrl + C) the entire list of filepaths below:
Click 'File' on the killbox menu at the top and choose 'Paste from clipboard'
The entire list should now be in the "Full Path of File to Delete"
field.To check, click on the dropdown-arrow next to that field.
If you expand it, these lines should all be there.


C:\WINDOWS\System32\sysfile.dll
C:\WINDOWS\System32\lw.dll
C:\GatorPatch.log
C:\WINDOWS\System32\FLEOK
C:\WINDOWS\bundles
C:\WINDOWS\System32\SahImages
C:\WINDOWS\Downloaded Program Files\VBouncerOuter*.exe
C:\WINDOWS\System32\pcs
C:\Documents and Settings\amanda\Application Data\Lycos
C:\WINDOWS\isrvs
C:\WINDOWS\System32\cache32_rtneg?
C:\WINDOWS\System32\stlb2.xml
C:\WINDOWS\games.exe
C:\WINDOWS\System32\Cards.ico
C:\WINDOWS\inst
C:\Documents and Settings\amanda\Favorites\1111\1111.url
C:\WINDOWS\weirdontheweb_topc.exe
C:\Documents and Settings\Administrator\My Documents\Data\Data\popinstlite.exe
C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe
C:\Documents and Settings\amanda\Favorites\1111\1111.url
C:\Documents and Settings\amanda\My Documents\Data\Data\popinstlite.exe
C:\Documents and Settings\amanda\My Documents\Data\popinstlite.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe
C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
C:\keys.ini
C:\Program Files\Common Files\FreeProdFetch\mc-58-12-0000093.exe
C:\Program Files\DNS\gui.exe
C:\WINDOWS\bundles\2504040824.exe
C:\WINDOWS\bundles\bs5-cvuacy.exe
C:\WINDOWS\bundles\CSV5P070.exe
C:\WINDOWS\bundles\EDow_AS2.exe
C:\WINDOWS\bundles\ezStub.exe
C:\WINDOWS\bundles\icmedia_7.exe
C:\WINDOWS\bundles\setup_silent_17123.exe
C:\WINDOWS\bundles\Tvm_b5_269.exe
C:\WINDOWS\bundles\VT02.exe
C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe
C:\WINDOWS\delprot.ini
C:\WINDOWS\deskbar.ini
C:\WINDOWS\Downloaded Program Files\bs5-zxlbme.exe
C:\WINDOWS\Downloaded Program Files\turbo.inf
C:\WINDOWS\Downloaded Program Files\VbouncerOuter1123030507.exe
C:\WINDOWS\games.exe
C:\WINDOWS\msbb.exe.temp
C:\WINDOWS\SYSTEM32\book.dll
C:\WINDOWS\SYSTEM32\asfsipc9.exe
C:\WINDOWS\SYSTEM32\cards.ico
C:\WINDOWS\SYSTEM32\cm1.dll
C:\WINDOWS\SYSTEM32\first.awp
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\SYSTEM32\httppost.exe_
C:\WINDOWS\SYSTEM32\id119.exe
C:\WINDOWS\SYSTEM32\INNERADINSTALL.LOG
C:\WINDOWS\SYSTEM32\InstallerV3.exe
C:\WINDOWS\SYSTEM32\kyf.dat
C:\WINDOWS\SYSTEM32\ncase.dll
C:\WINDOWS\SYSTEM32\ncase2.dll
C:\WINDOWS\SYSTEM32\newnet.dll
C:\WINDOWS\SYSTEM32\NLNupgradeV4_5P13.exe
C:\WINDOWS\SYSTEM32\OMsetup.exe
C:\WINDOWS\SYSTEM32\second.awp
C:\WINDOWS\SYSTEM32\Shex.exe
C:\WINDOWS\SYSTEM32\SideStep.exe
C:\WINDOWS\SYSTEM32\sstep.dll
C:\WINDOWS\SYSTEM32\stlb2.xml
C:\WINDOWS\SYSTEM32\sysfile.dll
C:\WINDOWS\SYSTEM32\windows.html
C:\WINDOWS\SYSTEM32\Xcite.dll
C:\WINDOWS\SYSTEM32\Xcite.exe
C:\WINDOWS\weirdontheweb_topc.exe
C:\wmedia_bbi8015.exe


Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot, click YES.When it asks if you would like to Reboot now, click YES.


Please reboot into safe mode Safe mode(continually tap the F8 key while your system is starting, select Safe Mode from the menu).


Please uninstall the following (click start||control panel||add/remove programs) If present
Media Access
MaxiFiles



Using windows explorer( right click start, left click explore)
Search for and delete these files and folders
C:\Program Files\ MaxiFiles
C:\Program Files\Media Access


Reboot and post a new Hijack log
  • 0

#7
amanda6982

amanda6982

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here is my new log.


Logfile of HijackThis v1.99.1
Scan saved at 8:49:44 PM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\HJT\HijackThis.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\America Online 6.0\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client-Server (nwclntserv) - Unknown owner - C:\WINDOWS\system32\srvss.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#8
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello amanda6982 :tazz:


Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:


Network Client-Server (nwclntserv)


When you find them, double-click on each one. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Reboot and post a new Hijack log
  • 0

#9
amanda6982

amanda6982

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
The service was already stopped. And the file did not match the one you said.

Logfile of HijackThis v1.99.1
Scan saved at 6:19:01 PM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\America Online 6.0\aoltray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Client-Server (nwclntserv) - Unknown owner - C:\WINDOWS\system32\srvss.exe (file missing)
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#10
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Did you disable the service? It appears to still be running
  • 0

Advertisements


#11
TomNJ

TomNJ

    Visiting Staff

  • Member
  • PipPipPip
  • 436 posts
Yes she did. She sent me a PM and I told her to stick with you in this topic.

Edited by TomNJ, 16 July 2005 - 09:16 AM.

  • 0

#12
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
Hello amanda ;)

Please feel free to ask any questions you may have.
We are going to repeat a step and than delete the service, then you may be good to go :tazz:

Scan with Hijack this and put a check in thie following box

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarest...es2/Install.cab

Now close all browsers and click fix checked


Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below service:


Network Client-Server (nwclntserv)


When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok.

Run HiJackThis. Click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (copy and paste):


nwclntserv

Click ok.

It should pull up information about the service, when it asks if you want to reboot now click YES.(You will reboot ino safemode)

Please reboot into safe mode Safe mode(continually tap the F8 key while your system is starting, select Safe Mode from the menu).

We need to search for and delete this file if it is still present

C:\WINDOWS\system32\srvss.exe

Reboot and post a new log please

thanks ;)
  • 0

#13
amanda6982

amanda6982

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:46:05 PM, on 7/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\America Online 6.0\aoltray.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0\aoltray.exe
O4 - Global Startup: Event Reminder.lnk = C:\Program Files\PrintMaster 16\pmremind.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
  • 0

#14
loophole

loophole

    Malware Expert

  • Retired Staff
  • 9,798 posts
The log looks good . Are you still having problems?
  • 0

#15
amanda6982

amanda6982

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Everything looks good now. Thanks so much for all your elp.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP