Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

No start menu or desktop [CLOSED]

Started by Shayne_13 , Jul 20 2005 01:35 PM

  • This topic is locked This topic is locked

#16
Trevuren
Posted 21 July 2005 - 05:53 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Got you on those two applications.

2. I was already thinking about suggesting that you apply to joing our School. I saw that you had no difficulty following instructions and suspected that you may have some PC knowledge already. One's resume always looks better when one states that they would like to help other people the way they themselves were helped. :tazz:

3. Now, could I please have a FULL log posted this time. ;) (See, now I am talking to you like a teacher)


Trevuren
  • 0

Advertisements

#17
Shayne_13
Posted 22 July 2005 - 09:22 AM

Shayne_13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Unfortunately, I will be out of town for 3-4 days, so no feedback on any replys is not because I dont care, Its because im not home :tazz:
  • 0

#18
Trevuren
Posted 22 July 2005 - 09:47 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Send me a fresh HJT log upon your return and we will resume.

Hope you have fun

Regards,

Trevuren
  • 0

#19
Shayne_13
Posted 26 July 2005 - 08:41 AM

Shayne_13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Im back, so here is a fresh log :tazz:


Logfile of HijackThis v1.99.1
Scan saved at 10:39:36 AM, on 30/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Coffee\Desktop\hjt\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe" -l
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\Run: [second] C:\Documents and Settings\Coffee\Desktop\l2mfix\second.bat
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
O9 - Extra button: 50 FREE MP3s! - {686C970F-1D7D-4469-85D1-4B35763B56CC} - http://www.emusic.com?fref=149133 (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8811D37-672A-41EF-A896-E63DAA4C99FA}: NameServer = 206.47.244.13 207.47.244.60
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
  • 0

#20
Trevuren
Posted 26 July 2005 - 09:49 AM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Now scan with HJT and place a checkmark next to each of the following items:

C:\Program Files\MyWay\myBar\2.bin\MYBAR.DLL (file missing)
C:\Program Files\Visual Networks\Visual IP InSight\Sympatico Consumer\IPClient.exe
C:\Program Files\PSGuard\PSGuard.exe
C:\Documents and Settings\Coffee\Desktop\l2mfix\second.bat
C:\WINDOWS\svcproc.exe (file missing)


Using Windows Explorer, please locate and DELETE the following files/folders (with all their content), if they are still present:

C:\Program Files\MyWay<===Folder
C:\Program Files\Visual Networks\Visual IP InSight<===Folder
C:\Documents and Settings\Coffee\Desktop\l2mfix<===Folder
C:\WINDOWS\svcproc.exe


Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Let me know if any problems persist.

Regards,

Trevuren
  • 0

#21
Shayne_13
Posted 29 July 2005 - 01:00 PM

Shayne_13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
Sorry for the delay, I didnt recieve e-mail notification that you had posted :tazz:

New HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 2:59:15 PM, on 02/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\StealthBot\StealthBot v2.6R3.exe
C:\Program Files\mIRC\mirc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Coffee\Desktop\hjt\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [delfile] C:\delfiles.cmd
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\npjava131_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E8811D37-672A-41EF-A896-E63DAA4C99FA}: NameServer = 206.47.244.13 206.47.244.60
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

EWIDO REPORT
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:31:50 PM, 02/08/2005
+ Report-Checksum: 9451A85E

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{04079851-5845-4dea-848C-3ECD647AA554} -> Spyware.MySearchBar : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0494D0D1-F8E0-41ad-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0494D0D9-F8E0-41ad-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FB45C451-B0E9-4407-BB6A-9361013F3E9A} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Common.Buttons -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\dlIfile -> Spyware.AcidReign : Cleaned with backup
HKLM\SOFTWARE\Classes\dlIfile\shell -> Spyware.AcidReign : Cleaned with backup
HKLM\SOFTWARE\Classes\dlIfile\shell\open -> Spyware.AcidReign : Cleaned with backup
HKLM\SOFTWARE\Classes\dlIfile\shell\open\command -> Spyware.AcidReign : Cleaned with backup
HKLM\SOFTWARE\Classes\ImgConv.clsImgConv -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Classes\ImgConv.clsImgConv\Clsid -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2DDD90D6-F153-4EA7-A324-4B2D83D1027E} -> Spyware.HotBar : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{15E7D23B-736E-46FA-BFFD-CBEC4126BEFD} -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\{978C4EC7-60D1-4005-8CE0-D6A7169E36EA} -> Spyware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\saap -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\picsvr -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\saap -> Spyware.180Solutions : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick2 -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick2\Internet Explorer -> Spyware.SurfSide : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{04079851-5845-4DEA-848C-3ECD647AA554} -> Spyware.MySearchBar : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-DD60-0064-6EC2-6E0100000000} -> Spyware.MediaMotor : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000049-8F91-4D9C-9573-F016E7626484} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{04079851-5845-4DEA-848C-3ECD647AA554} -> Spyware.MySearchBar : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D1-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{16B238D5-80DE-47CE-8F17-B3ECE2C2248D} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{302A3240-4805-4A34-97D7-1645A0B08410} -> Spyware.VX2 : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{999A06FF-10EF-4A29-8640-69E99882C26B} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9EB320CE-BE1D-4304-A081-4B4665414BEF} -> Spyware.PurityScan : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\picsvr -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-448539723-688789844-1708537768-1003\Software\saap -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Coffee\My Documents\My Received Files\netdevil.zip/Edit-server.exe -> Backdoor.NetDevil.15 : Cleaned with backup
C:\Documents and Settings\Coffee\My Documents\My Received Files\netdevil.zip/Net-Devil.exe -> Backdoor.NetDevil.15 : Cleaned with backup
C:\Documents and Settings\Coffee\My Documents\My Received Files\netdevil.zip/Server.exe -> Backdoor.NetDevil.15 : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP179\A0153124.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP179\A0153125.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP180\A0154143.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP182\A0160206.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP187\A0171314.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP187\A0172224.exe -> Trojan.Puper.ag : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP187\A0172226.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP187\A0173238.exe -> Trojan.Puper.ag : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP187\A0173240.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP187\A0173250.exe -> Trojan.Puper.w : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP187\A0173264.EXE -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP187\A0173265.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP187\A0173266.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP187\A0173278.exe -> Trojan.Puper.ag : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP189\A0173790.exe -> Trojan.Favadd.af : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP189\A0173792.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP189\A0173793.exe -> Trojan.Agent.ff : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP191\A0174528.exe -> Trojan.Favadd.af : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP191\A0174530.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP191\A0174531.exe -> Trojan.Agent.ff : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP192\A0175019.exe -> Backdoor.ServU-based : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP192\A0175032.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP196\A0179224.exe -> Trojan.Favadd.af : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP196\A0179225.dll -> Trojan.Puper.t : Cleaned with backup
C:\System Volume Information\_restore{C59A5275-B140-4800-8A03-CC71CF5DD183}\RP196\A0179226.exe -> Trojan.Agent.ff : Cleaned with backup
C:\WINDOWS\AuroraHandler.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\m67m.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\empishq.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\gkrdjastcu.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\javex80.vxd/C:/WINDOWS/system32/nvms.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\javex80.vxd/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsv.ocx -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsvs.dll -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\system320nsx50 -> Spyware.HotSearchBar : Cleaned with backup


::Report End

PANDA SCAN
Incident Status Location

Adware:adware/cws.searchmeup No disinfected C:\WINDOWS\SYSTEM32\bose.ico
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\SYSTEM32\psis80ex.ax
Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\COFFEE\APPLICATION DATA\Sskknwrd.dll
Adware:adware/ncase No disinfected C:\WINDOWS\180ax.log
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32a.sys
Spyware:spyware/adclicker No disinfected C:\WINDOWS\usta32.ini
Adware:adware/delfinmedia No disinfected C:\WINDOWS\SYSTEM32\nsvsvc
Adware:adware/savenow No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\nsv
Spyware:spyware/media-motor No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\MODULEUSAGE\C:/WINDOWS/DOWNLOADED PROGRAM FILES/M67M.OCX
Adware:adware/myway No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\MY WAY SPEEDBAR UNINSTALL
Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\PSGUARD SPYWARE REMOVER
Adware:adware/wupd No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\WEBSPECIALS
Spyware:spyware/betterinet No disinfected HKEY_CURRENT_USER\SOFTWARE\IN3RD
Adware:adware/navipromo No disinfected HKEY_CURRENT_USER\SOFTWARE\MC
Adware:adware/wintools No disinfected HKEY_LOCAL_MACHINE\SYSTEM\CONTROLSET001\ENUM\ROOT\LEGACY_TBPSSVC
Spyware:spyware/altnet No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TOPSEARCH.TSLINK
Adware:adware/p2pnetworking No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\P2P NETWORKING
Adware:adware/aurora No disinfected HKEY_CLASSES_ROOT\CLSID\{4AA870AC-8427-42A4-B92E-ECD956197489}
Adware:adware/looksmart No disinfected HKEY_CLASSES_ROOT\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}
Adware:adware/mediatickets No disinfected HKEY_CLASSES_ROOT\TypeLib\{5530D356-0063-41B9-B20D-E9D799E8D907}
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Coffee\Application Data\tcte.exe
Adware:Adware/PurityScan No disinfected C:\Program Files\aesc\tcte.exe
Spyware:Spyware/Media-motor No disinfected C:\WINDOWS\Downloaded Program Files\m67m.inf
Spyware:Spyware/SafeSurf No disinfected C:\WINDOWS\system32\InstallerV3.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\psis80ex.ax[mscb.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome1.swf]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[bb_welcome.html]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[icon.gif]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cashback.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[cb.exe]
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\psis80ex.ax[flash.exe]
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\r?gsvr32.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Virus:Trj/Downloader.CGX Disinfected C:\WINDOWS\system32\tcte.exe
Adware:Adware/FindWhatever No disinfected C:\WINDOWS\system32\unregister.exe
Virus:W32/Smitfraud.C Disinfected C:\WINDOWS\system32\wininet.old
  • 0

#22
Shayne_13
Posted 29 July 2005 - 01:03 PM

Shayne_13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 26 posts
I am still without a desktop, my explorer is still booting in a window, nothing other is a problem though, I can live with using TM to start explorer.exe if I close the window by mistake. However, a desktop and start menu would be nice :tazz:
  • 0

#23
Trevuren
Posted 29 July 2005 - 01:21 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>Service: System Startup Service (SvcProc)
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT
2. Click on Config>>Misc Tools>>Delete an NT Service
3. Type SvcProc in the space provided and click OK
4. The program will ask you to REBOOT --- Accept
5. REBOOT into SAFE MODE
6. Using Windows Explorer, locate and DELETE the following file (if it still is present):
C:\WINDOWS\svcproc.exe
7. REBOOT back into Normal Mode



Now let's see about a Desktop:

Right click on http://www.greyknigh...pairDesktop.reg and download that file. Double click on it and click on Yes when it asks you if you want to merge it into the registry. Once that's done, restart your computer.

Login as usual and now right click on your Desktop and go to Properties. Next go to Desktop tab->Customize Desktop button->Web tab. Uncheck everything listed there. Then delete all the entries listed except for 'My Current Home Page'. Click OK and OK.


Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review. (There is a lot more junk to get rid of)

Regards,

Trevuren
  • 0

#24
Trevuren
Posted 15 August 2005 - 10:26 PM

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP