Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

DrPMon.dll Trouble [RESOLVED]

Started by Navy Seal , Jul 12 2005 03:04 PM

This topic is locked

#31
Navy Seal

Posted 15 July 2005 - 02:02 AM

Member

Topic Starter
Member
119 posts

since the panda log is still running i just searched for the winlogin.exe file.

(hahah it did confuse me at first because i did confuse it with winlogOn.exe)

anyway, here's the full path name(s) that came up. it ended up being 2 backups from HJT:

backup-20050714-181713-618-winlogin
C:\Program Files\HJT\hijackthis\backups

backup-20050714-225427-455-winlogin
C:\Program Files\HJT\hijackthis\backups

#32
Navy Seal

Posted 15 July 2005 - 02:16 AM

Member

Topic Starter
Member
119 posts

ok here we go!

here's the LK2 Fix Log that u wanted:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

here's the Panda Scan Log:

Incident Status Location

Adware:Adware/Apropos No disinfected C:\Program Files\Aprps
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\System32\a.exe
Adware:Adware/SuperSpider No disinfected C:\Program Files\Q330994.exe
Spyware:Spyware/SurfSideKick No disinfected Windows Registry
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\mstasks1.exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Stephen\Desktop\l2mfix\backup.zip[mndxmlc.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Stephen\Desktop\l2mfix\backup.zip[pgfmgr.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Stephen\Desktop\l2mfix\backup.zip[guard.tmp]
Adware:Adware/SuperSpider No disinfected C:\m.exe
Adware:Adware/SuperSpider No disinfected C:\mssys.com
Adware:Adware/SuperSpider No disinfected C:\p.exe
Adware:Adware/SuperSpider No disinfected C:\Program Files\q330994.exe
Adware:Adware/SuperSpider No disinfected C:\q.exe
Adware:Adware/SuperSpider No disinfected C:\q250204.exe
Adware:Adware/SuperSpider No disinfected C:\soundmx.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\cvchost.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\dl.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\dlm.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msstasks.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\mssys.com
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\mstasks1.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\mstaskss.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\msxmidi.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\reg33.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\rocky.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\runwin32.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\seksdialer.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system\system.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system\wmscrop.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\a.exe
Spyware:Spyware/Bridge No disinfected C:\WINDOWS\system32\bridge.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\d2kpax.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\d2kpax.exe
Virus:Trj/Qhost.Y Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\jac.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\mcc.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\msxslab.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\MDTC~1.EXE
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\services
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\system32.dll
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\system32\winproc32.exe
Adware:Adware/SuperSpider No disinfected C:\WINDOWS\wininet32.exe
Adware:Adware/SuperSpider No disinfected C:\winspec.dat
Thanks!

#33
Guest_usetobe_*

Posted 15 July 2005 - 02:29 AM

Guest

Copy and paste the filepaths below into notepad then save it to desktop.

C:\Program Files\Aprps
C:\WINDOWS\System32\a.exe
C:\Program Files\Q330994.exe
C:\WINDOWS\mstasks1.exe
C:\Documents and Settings\Stephen\Desktop\l2mfix\backup.zip[mndxmlc.dll]
C:\Documents and Settings\Stephen\Desktop\l2mfix\backup.zip[pgfmgr.dll]
C:\Documents and Settings\Stephen\Desktop\l2mfix\backup.zip[guard.tmp]
C:\m.exe
C:\mssys.com
C:\p.exe
C:\Program Files\q330994.exe
C:\q.exe
C:\q250204.exe
C:\soundmx.exe
C:\WINDOWS\cvchost.exe
C:\WINDOWS\dl.exe
C:\WINDOWS\dlm.exe
C:\WINDOWS\msstasks.exe
C:\WINDOWS\mssys.com
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstaskss.exe
C:\WINDOWS\msxmidi.exe
C:\WINDOWS\reg33.exe
C:\WINDOWS\rocky.exe
C:\WINDOWS\runwin32.exe
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\system\system.exe
C:\WINDOWS\system\wmscrop.exe
C:\WINDOWS\system.exe
C:\WINDOWS\system32\a.exe
C:\WINDOWS\system32\bridge.dll
C:\WINDOWS\system32\d2kpax.dll
C:\WINDOWS\system32\d2kpax.exe
C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\mcc.exe
C:\WINDOWS\system32\msxslab.dll
C:\WINDOWS\system32\MDTC~1.EXE
C:\WINDOWS\system32\services
C:\WINDOWS\system32\system32.dll
C:\WINDOWS\system32\winproc32.exe
C:\WINDOWS\wininet32.exe
C:\winspec.dat

* Please download the http://www.bleepingc...es/killbox.php]Killbox by Option^Explicit[/url]. *In the event you already have Killbox, this is a new version that I need you to download.

* Save it to your desktop.

Now reboot into Safe mode by tapping the F8 key whilst your pc starts up

Rescan with HJT and check the following entry

O4 - Global Startup: winlogin.exe

Ensure no windows open except HJT and click fix checked.

* Please double-click Killbox.exe to run it.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "[b]No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Delete HJT backups from HJT folder

Rescan with HJT and post the log back

#34
Navy Seal

Posted 15 July 2005 - 02:46 AM

Member

Topic Starter
Member
119 posts

hey again! ok everything went fine except when i tried to delete the

O4 - Global Startup: winlogin.exe

it said that it was in use or something, and to go to the task manager to end it. when i went to the task manager there was only a winlogon.exe. i think this happened last time to.

here's my HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 4:44:34 AM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thelms.com/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] \Program\
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: bw+0 - {7810B763-919D-4E99-85D5-8487379E2F08} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Stephen\Local Settings\Temporary Internet Files\Content.IE5\KDIJS9Y7\CWShredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hope things are looking good!

#35
Guest_usetobe_*

Posted 15 July 2005 - 02:53 AM

Guest

Ensure system setup to show hidden files and carry out another search for our little enemy :tazz:

winlogin.exe to find the filepath

#36
Navy Seal

Posted 15 July 2005 - 02:56 AM

Member

Topic Starter
Member
119 posts

hahah that one is a pain aint it!

hidden files/folders r available, but i noticed two other things below that option.

the one says:
Hide Extensions for known file types.

the other one says:
Hide protected operating system files(Recommended)

both of them r checked...i was reading in another post saying that uncheck the second one i typed!? should i leave these alone!? just thought i'd mention it!

in the mean time i will search for the winlogin.exe!

#37
Guest_usetobe_*

Posted 15 July 2005 - 02:58 AM

Guest

uncheck them for now, as we need to find the little blighter

#38
Navy Seal

Posted 15 July 2005 - 02:59 AM

Member

Topic Starter
Member
119 posts

alrighty!!

im searching in Windows Explorer within My Computer. so it should search everything now that i have all the hidden stuff avaiable!

Edited by Navy Seal, 15 July 2005 - 03:00 AM.

#39
Navy Seal

Posted 15 July 2005 - 03:03 AM

Member

Topic Starter
Member
119 posts

I FOUND IT!!

here is the path:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

i had the hidden files/folders unchecked so i could c them, but i did not have that option unchecked in the actual "Window Explorer" search. it was a hidden file.

i didnt delete it, as u did not instruct me to!

#40
Guest_usetobe_*

Posted 15 July 2005 - 03:18 AM

Guest

Right now we can go for the jugular

Reboot into Safe mode

in killbox copy and paste the filepath into the box

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If pc does not reboot automatically do it manually

Whilst pc rebooting tap F8 key to go into Safe mode

Then scan with HJT and check if present:

O4 - Global Startup: winlogin.exe

Ensure no windows open and click fix checked

Reboot pc normally and rescan with HJT and post log back, let me know if you have any problems to see if we need to change tactic on it

#41
Navy Seal

Posted 15 July 2005 - 03:19 AM

Member

Topic Starter
Member
119 posts

ok quick question before i do this! should i select the "Delete on Reboot" like last time, or just leave it as is!?

#42
Guest_usetobe_*

Posted 15 July 2005 - 03:22 AM

Guest

YEP,

I did say :tazz:

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

#43
Navy Seal

Posted 15 July 2005 - 03:24 AM

Member

Topic Starter
Member
119 posts

* Select "Delete on Reboot".

only reason i asked was because u mentioned it last time to select it! just wanted to make sure

Edited by Navy Seal, 15 July 2005 - 03:24 AM.

#44
Navy Seal

Posted 15 July 2005 - 03:36 AM

Member

Topic Starter
Member
119 posts

ok im back! i put the file path in kill box and deleted it!

(however just as a side note, nothing about an Operation Pending came up and then clicking "no" only two boxes about rebooting after deleting! i dont think it's really a biggie, just thought i'd mention it)

i ran the HJT Scan in safe mode, and it was finally gone!

here's my HJT Log for normal mode:

Logfile of HijackThis v1.99.1
Scan saved at 5:35:43 AM, on 7/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.thelms.com/
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [LDM] \Program\
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O18 - Protocol: bw+0 - {7810B763-919D-4E99-85D5-8487379E2F08} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: CWShredder Service - Unknown owner - C:\Documents and Settings\Stephen\Local Settings\Temporary Internet Files\Content.IE5\KDIJS9Y7\CWShredder[1].exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Hope everything is gone!!

#45
Guest_usetobe_*

Posted 15 July 2005 - 03:39 AM

Guest

Well it's been an epic journey for you.

From your log, I see nothing in the ways of trojans, nor any evil entities attempting to possess your computer, except for Windows but it's too late for that one. :tazz:

Congratulations your log now appears to be clean.

Here are some tips, to reduce the potential for spyware infection in the future, I strongly recommend installing the following applications:

Detect and Remove Programs:

How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

AntiVirus Program<= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kapersky, this is a must have.
Firewall<= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
More Secure Browser<= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera and SlimBrowsers are good as well.