Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Intell32 and psguard...attacking my computer! [CLOSED]

Started by bbrooke726 , Jul 25 2005 11:24 PM

  • This topic is locked This topic is locked

#1
bbrooke726
Posted 25 July 2005 - 11:24 PM

bbrooke726

    New Member

  • Member
  • Pip
  • 9 posts
Ok, so I've run Ad-aware and my virus scanner. It deleted some stuff, but apparently not enough. The ad-aware scan said it couldn't delete shnlog.exe and intmonp.exe from C:/winnt/system32, so I tried to end the processes myself. No luck. So then I tried running pskill on the processes, but that didn't work either. When I try to go in and actually delete the files, it tells me I can't because they are being used. I also deleted the psguard application, but it's back. Not sure how to get rid of this thing either. I have annoying things on the bottom right bar that keep telling me my computer is infected. I haven't clicked on them because I'm afraid it will just do more damage. Any help would be greatly appreciated. Thanks in advance.

Here's my logfile.

Logfile of HijackThis v1.99.1
Scan saved at 1:48:11 AM, on 7/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\msole32.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINNT\system32\intmon.exe
C:\WINNT\system32\intell32.exe
C:\WINNT\popuper.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\intmonp.exe
C:\WINNT\system32\shnlog.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Brittany Garrison\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp94BA.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Brittany Garrison\Local Settings\Temporary Internet Files\Content.IE5\892ZCPMZ\MSCONFIG[1].EXE /auto
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINNT\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O18 - Protocol: bw+0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
  • 0

Advertisements

#2
greyknight17
Posted 26 July 2005 - 09:17 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Download smitRem.zip at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.
Unzip the file to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.oneclicks...es.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.oneclicks...earch.php?qq=%1
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.oneclicks...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.oneclicks...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.oneclicksearches.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hp94BA.tmp
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Brittany Garrison\Local Settings\Temporary Internet Files\Content.IE5\892ZCPMZ\MSCONFIG[1].EXE /auto
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINNT\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard spyware remover] C:\Program Files\PSGuard\PSGuard.exe

I want you to check and fix ALL the O18 entries below that are related to Logitech except for the first line (see below). Leave that one unchecked:

O18 - Protocol: bw+0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Open the smitRem folder and double click on the RunThis.bat file to start the tool. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

Delete these if found:

C:\WINNT\system32\msole32.exe
C:\WINNT\system32\intmon.exe
C:\WINNT\system32\intell32.exe
C:\WINNT\popuper.exe
C:\WINNT\system32\intmonp.exe
C:\WINNT\system32\shnlog.exe
C:\WINNT\system32\hp94BA.tmp
C:\WINNT\system32\msmsgs.exe
C:\Program Files\PSGuard\

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log (if you ran it).
  • 0

#3
bbrooke726
Posted 28 July 2005 - 07:40 PM

bbrooke726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hijack this logfile:

Logfile of HijackThis v1.99.1
Scan saved at 10:07:37 PM, on 7/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Documents and Settings\Brittany Garrison\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Brittany Garrison\Local Settings\Temporary Internet Files\Content.IE5\892ZCPMZ\MSCONFIG[1].EXE /auto
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: bw+0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe

--------------------------------
Ewido Scan

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:31:14 PM, 7/28/2005
+ Report-Checksum: 88498E8B

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
[488] C:\WINNT\uninstIU.exe -> Trojan.Small.ev : Cleaned with backup
[476] C:\WINNT\uninstIU.exe -> Trojan.Small.ev : Error during cleaning
[440] C:\WINNT\uninstIU.exe -> Trojan.Small.ev : Error during cleaning
C:\Documents and Settings\Brittany Garrison\Desktop\ADOBE.PHOTOSHOP.CS2\Goodies\PROGRAMS & EXTRA STUFF\WinZip 9.0.6224-SR1.zip/WinZip 9.0.6224-SR1/WinZip-KEY-GEN.exe -> TrojanDropper.Delf.fl : Cleaned with backup
C:\Program Files\Common Files\GMT\GatorStubSetup.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\GMT\GUninstaller.exe -> Adware.Gator : Cleaned with backup
C:\WINNT\uninstIU.exe -> Trojan.Small.ev : Cleaned with backup


::Report End

-------------------------
Panda Software Scan


Incident Status Location

Adware:adware/twain-tech No disinfected C:\WINNT\smdat32a.sys
Adware:adware/gator No disinfected C:\PROGRAM FILES\COMMON FILES\CMEII
Adware:adware/psguard No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\SHUDDERLTD\PSGUARD
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Spyware:spyware/altnet No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\TOPSEARCH.TSLINK
Adware:adware/myway No disinfected HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:adware/looksmart No disinfected HKEY_CLASSES_ROOT\TypeLib\{EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}
Adware:adware/searchexe No disinfected HKEY_CLASSES_ROOT\Interface\{72423E8F-8011-11D2-BE79-00A0C9A83DA3}
Virus:Trj/Downloader.AEE No disinfected C:\counter.cab[counter.exe]
Virus:Trj/Downloader.AEE No disinfected C:\counter.cab[counter.inf]
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\GMT\egIEEngine.dll
***it said it couldn't delete these??

-------------------------------------
Smitfiles log


smitRem log file
version 2.2

by noahdfear

The current date is: Thu 07/28/2005
The current time is: 19:38:34.11

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

intell32.exe
oleext.dll
wppp.html
ole32vbs.exe
intmon.exe
hhk.dll
logfiles


~~~ Windows directory ~~~

uninstIU.exe
sites.ini
popuper.exe


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

oleext.dll


~~~ Windows directory ~~~

uninstIU.exe


~~~ Drive root ~~~



~~~ Wininet.dll ~~~

wininet.dll INFECTED!! Starting replacement procedure.


~~~~ Looking for C:\WINNT\system32\dllcache\wininet.dll ~~~~


~~~~ C:\WINNT\system32\dllcache\wininet.dll Present! ~~~~


~~~~ Checking dllcache\wininet.dll for infection ~~~~


~~~~ dllcache\wininet.dll Clean! ~~~~

~~~ Replaced wininet.dll from dllcache ~~~



~~~ Upon reboot ~~~

wininet.old present!
oleadm.dll not present!
oleext.dll present!


~~~ Upon completion ~~~

wininet.old not present!
oleadm.dll not present!
oleext.dll not present!


~~~~ Rechecking C:\WINNT\system32\wininet.dll for infection ~~~~


~~~~ C:\WINNT\system32\wininet.dll Clean! :tazz: ~~~~
  • 0

#4
greyknight17
Posted 28 July 2005 - 10:11 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yes, we'll delete them now. For one of these, I need you to run another tool. It's not for the public yet (as far as I know), so email me asking for the file (my email is in my profile). Give me a link back to your topic here so I know what the email is for. Do the following fixes in the meantime. Run that file that I will email you at the very end of all this:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ and delete MAGNET

HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\ and delete TOPSEARCH.TSLINK

HKEY_CLASSES_ROOT\CLSID\ and delete {66FC8717-EFA7-4546-8C4A-E224F3A80C76}

HKEY_CLASSES_ROOT\TypeLib\ and delete {EDD3B3E9-3FFD-4836-A6DE-D4A9C473A971}

HKEY_CLASSES_ROOT\Interface\ and delete {72423E8F-8011-11D2-BE79-00A0C9A83DA3}

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Delete these if found:

C:\WINNT\smdat32a.sys
C:\PROGRAM FILES\COMMON FILES\CMEII\
C:\counter.cab
C:\Program Files\Common Files\GMT\
C:\WINNT\uninstIU.exe

Why is this running from the temp folder? Do use that msconfig program? If so, take it out of the temp folder now.

O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Brittany Garrison\Local Settings\Temporary Internet Files\Content.IE5\892ZCPMZ\MSCONFIG[1].EXE /auto

Run that file I will email you....email me first...

Restart and post a new log for HijackThis and Panda.
  • 0

#5
bbrooke726
Posted 01 August 2005 - 12:33 PM

bbrooke726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ran the CleanUp thing, HijackThis and the Panda scan thing. The cleanup and hijack scans worked fine (the hijack logfile is below), but the Panda one keeps failing and closing out IE. It stops at the same place everytime. I've run it probably 3-4 times. And everytime it gets about 70% done and then just freezes on this one file. Not sure what to do about that...

Logfile of HijackThis v1.99.1
Scan saved at 2:59:58 PM, on 8/1/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Brittany Garrison\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\Brittany Garrison\Local Settings\Temporary Internet Files\Content.IE5\892ZCPMZ\MSCONFIG[1].EXE /auto
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: bw+0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
  • 0

#6
greyknight17
Posted 01 August 2005 - 07:01 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I don't recall you replying back to me regarding the other tool I want you to run.

For the Panda scan, do you remember what folder (or file) it freezes on each time?

Still with the msconfig program. Move it out of the temp folder now. It shouldn't be there. Save it somewhere else.
  • 0

#7
bbrooke726
Posted 01 August 2005 - 09:05 PM

bbrooke726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Are you talking about the program that you emailed me?

If so, I pm'd you the logfile. I can send it again though, in case I didn't send it correctly or something.

About the msconfig file, it tells me the path is incorrect. (I can follow the path up to Content.IE5, but after that it can't find the folder it says it's in. You told me to run CleanUp to get rid of it. So, I did, but I guess it didn't? Because I ran the HijackThis after I ran the clean up thing.
  • 0

#8
greyknight17
Posted 01 August 2005 - 10:17 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
No problem. Email me that log again then. Just to verify it's ok :tazz:

Yes, if CleanUp was ran, it should be deleted by now. Just fix that O4 entry for msconfig in HijackThis then. If you want, download that msconfig program again and save it somewhere else besides your temp folder (nothing important should be in there).

How about my question regarding Panda? When does it freeze on you?
  • 0

#9
bbrooke726
Posted 02 August 2005 - 03:47 AM

bbrooke726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok, emailed you the log. :tazz:

I ran HijackThis and tried to fix that msconfig one, but nothing happened.

Oh yeah, almost forgot about Panda, hah. Sorry. When it stops it has something like [0000000][000000].txt or something like that. I could run it again to find out the exact name. But it doesn't give a full path, only the file name.
  • 0

#10
greyknight17
Posted 02 August 2005 - 07:51 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I got the log :tazz: Thanks. It's clean.

See if you can do a search for that filename. If it can't be found, then we will need to try something else.

Try running these instead:
Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

Advertisements

#11
bbrooke726
Posted 09 August 2005 - 07:29 AM

bbrooke726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Sorry it's taken me so long to respond (last week was finals week, so I was basically living at the library).

Anyways, I ran the TrendMicro Scan and it was clean.

The other one is running right now. When I'd left for work it had found something like 24 infected files I think. Anyways, I'm guessing it will be done when I get back and I'll post the log then.

Oh, and I did a search on the msconfig file....can't find it.

Sorry again about the delay...
  • 0

#12
greyknight17
Posted 09 August 2005 - 09:20 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
That's ok, I understand. Gotta finish up them finals to graduate (or move on up to the next level if you're not graduating yet) :tazz:

I'll take a look at the log when you're ready. We might have to run a few more tests also since it's been a week since you did anything on it.
  • 0

#13
bbrooke726
Posted 09 August 2005 - 06:33 PM

bbrooke726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok, here's the log from the mwav app...

File C:\Documents and Settings\Brittany Garrison\Desktop\PsKill.zip tagged as not-a-virus:RiskTool.Win32.PsKill.110. No Action Taken.
Object "MyBar Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "Claria Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\BRITTA~1\LOCALS~1\Temp\_ISTMP3.DIR\_ISTMP0.DIR\dummy.txt". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\BRITTA~1\LOCALS~1\Temp\_ISTMP3.DIR\_ISTMP0.DIR\FTPInstUtils.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\DOCUME~1\BRITTA~1\LOCALS~1\Temp\_ISTMP3.DIR\_ISTMP0.DIR\whatsnew.txt". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{01111F00-3E00-11D2-8470-0060089874ED}" refers to invalid object "C:\Program Files\support.com\bin\tgctlins.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{01112B00-3E00-11D2-8470-0060089874ED}" refers to invalid object "C:\Program Files\support.com\bin\tgrc.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B09DB64-6967-11D4-99CE-0090278EF9D3}" refers to invalid object "C:\Program Files\support.com\bin\tgctlins.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{43918f8f-f3be-4760-b4bb-6c89d9d91487}" refers to invalid object "C:\Program Files\Winamp3\Wacs\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{44b09a5f-5dee-4539-8001-d4b2d45c2876}" refers to invalid object "C:\Program Files\Winamp3\Wacs\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{787DEC39-69D0-40B3-B173-E0411C59B300}" refers to invalid object "C:\Program Files\PSGuard\WndLayer.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{96632d1e-f3eb-4f54-ba79-9969692db659}" refers to invalid object "C:\Program Files\Winamp3\Wacs\cddbuiwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{9EFBF860-5685-11D3-AA3D-00C04F4C5275}" refers to invalid object "cdooff.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A4845882-333F-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B7156514-A76C-4545-9D5B-A4E1D02C7AEC}" refers to invalid object "C:\Program Files\Kazaa\Topsearch.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{bbc34410-789a-11d0-a12e-000040400505}" refers to invalid object "ftpshext.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{d4387178-98ca-4929-b8e3-a11cd2f333a6}" refers to invalid object "C:\Program Files\Winamp3\Wacs\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{E07D3492-32B5-11D0-B724-00AA0062CBB7}" refers to invalid object "C:\WINNT\System32\WBEM\WBEMSTUB.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{EEC6993A-B3FD-11D2-A916-00C04FB98638}" refers to invalid object "pid.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{fba38bcf-e23d-4979-811e-1326bbadb8c8}" refers to invalid object "C:\Program Files\Winamp3\Wacs\cddbcontrolwinamp.dll". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\MSASR.Direct3dTexture.1" refers to invalid object "{40C62BC8-E508-7012-A673-386A68DD538A}". Action Taken: No Action Taken.
File C:\Documents and Settings\Brittany Garrison\Desktop\PsKill.zip tagged as not-a-virus:RiskTool.Win32.PsKill.110. No Action Taken.
File C:\pskill.exe tagged as not-a-virus:RiskTool.Win32.PsKill.110. No Action Taken.


Hope this helps.....just let me know whatever other kind of tests you need me to run. Thanks!
  • 0

#14
greyknight17
Posted 10 August 2005 - 07:05 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
This one should be ok. I want you to run a registry cleaner.

*Download RegSeeker http://www.hoverdesk.net/freeware.htm and install it.
*Click on 'Clean The Registry' in the left panel.
*Check all boxes (make sure the backup box in the lower left corner is selected!).
*After it runs, click 'Select All' on the bottom. Then right-click on any selected item in the window and select 'Delete Selected Items'.
*Click 'Quit RegSeeker'.

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run RegSeeker again. Do the same thing again if anything is found. You may have to run RegSeeker 5 - 6 times, but you want it showing none to very few items.

*Make sure to reboot between each use of the program.

After you do that, restart and post a new HijackThis log.
  • 0

#15
bbrooke726
Posted 28 August 2005 - 11:45 AM

bbrooke726

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I ran the RegSeeker about 6 times, but the same 7 keep showing up and not deleting. But here's the hijack this log.



Logfile of HijackThis v1.99.1
Scan saved at 2:09:32 PM, on 8/28/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\WZCBDL Service\WZCBDLS.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\wuauclt.exe
C:\Documents and Settings\Brittany Garrison\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\Updreg.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link Air USB Utility] C:\Program Files\D-Link\Air USB Utility\AirCFG.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O18 - Protocol: bw+0 - {422D0F44-298C-4A0D-AB43-4A24C7AFEAB4} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
O23 - Service: WZCBDL Service (WZCBDLService) - D-Link - C:\Program Files\WZCBDL Service\WZCBDLS.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP