Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

VX2 and Aurora

Started by nwyankee , Aug 02 2005 09:03 PM

  • Please log in to reply

#1
nwyankee
Posted 02 August 2005 - 09:03 PM

nwyankee

    New Member

  • Member
  • Pip
  • 6 posts
Here's my log:
Logfile of HijackThis v1.99.1
Scan saved at 8:01:37 PM, on 8/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
c:\windows\system32\plxomxx.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Lavasoft\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.pacif...m/src/login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsd2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [HDAudio Driver 1.0] C:\WINDOWS\System32\kykjhh.exe
O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINDOWS\System32\pmqsaty.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\JOHNDA~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [td9tnkft] C:\WINDOWS\System32\td9tnkft.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [tngszbs] c:\windows\system32\plxomxx.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121217557698
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4FADFC3-586A-4B33-80C7-18205B92D2F5}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks a million!
  • 0

Advertisements

#2
rstones12
Posted 02 August 2005 - 09:28 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
nwyankee,

Welcome to the GTG Forums, I will be reviewing your HJT log.
Please read "ALL" of the instructions before proceeding:

You may want to print out these instructions for a reference or you can
save them by copying and pasting them into notepad and saving the text file to the desktop.

This process will take a few steps, please take your time and follow the directions in the order posted.
If you dont understand something please ask before performing any task..

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CleanUp
Install the program, dont run it yet, we will later.

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.
  • Unzip dsrfix.zip and extract it to your desktop.
  • This will create a new folder on your desktop named dsrfix.
  • Do Not open that folder yet.
Please download APT and unzip the contents to a new folder on your desktop.
  • Open the folder you just created and click on apt.exe and search in the window for c:\windows\system32\plxomxx.exe.
  • Open your C:\Windows\system32 folder and search for plxomxx.exe.
    Don't delete it yet, just leave the system32 folder open so you can see the bad file.
  • In APT again, Select c:\windows\system32\plxomxx.exe and Click Kill3
  • Then immediately delete plxomxx.exe from your system32 folder.
Close APT.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Now scan with HJT and place a checkmark next to each of the following items:

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsd2.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\System32\richedtr.dll

O4 - HKLM\..\Run: [HDAudio Driver 1.0] C:\WINDOWS\System32\kykjhh.exe
O4 - HKLM\..\Run: [HDAudio Driver 2.0] C:\WINDOWS\System32\pmqsaty.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\JOHNDA~1\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [td9tnkft] C:\WINDOWS\System32\td9tnkft.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [tngszbs] c:\windows\system32\plxomxx.exe r

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.
  • Double-Click on dsrfix.bat
  • A window will pop up briefly then close, this is normal.
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now using Windows Explorer find and remove the following folders/files if present:
C:\WINDOWS\System32\nsd2.dll
C:\WINDOWS\System32\richedtr.dll
C:\WINDOWS\System32\kykjhh.exe
C:\WINDOWS\System32\pmqsaty.exe
C:\WINDOWS\System32\richup.exe
C:\DOCUME~1\JOHNDA~1\LOCALS~1\Temp\sysnet.exe
C:\WINDOWS\System32\td9tnkft.exe
c:\windows\system32\plxomxx.exe

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply

Thanks,
rstones12
  • 0

#3
nwyankee
Posted 03 August 2005 - 04:46 PM

nwyankee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Sorry for taking so long to follow through, I had some unexpected work duties.

Ewido Log:
+ Created on: 3:09:49 PM, 8/3/2005
+ Report-Checksum: 69071BDD

+ Scan result:

:mozilla.6:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.8:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.11:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.12:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.58:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.59:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.97:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.110:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.111:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.112:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.113:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.114:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.115:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.119:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.120:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.125:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.134:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.135:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.136:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.137:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.138:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.139:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.140:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.153:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.154:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.155:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.156:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.157:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.159:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.160:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.161:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.162:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.163:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.164:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.184:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.185:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.186:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.211:C:\Documents and Settings\John\Application Data\Mozilla\Firefox\Profiles\bcrzkb74.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\John\Cookies\john@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\John\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\dmfcppmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\fckkmpjc.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\ficcppmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\jepfmpmd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\kokndhld.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\lmlhbpjd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\mjhlhomd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\mpgnjngd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\nojkoknd.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\pifbfcod.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\pmpcomod.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\John\Local Settings\Temp\snuninst.exe -> TrojanSpy.Bancos.ds : Cleaned with backup
C:\DRIVERS\VIDEO\ONBOARD\IGFXTRAY.EXE -> TrojanDropper.Paradrop.a : Cleaned with backup
C:\I386\igfxtray.exe -> TrojanDropper.Paradrop.a : Cleaned with backup
C:\RECYCLER\NPROTECT\00018125.exe -> Adware.BetterInternet : Cleaned with backup
C:\RECYCLER\NPROTECT\00018127.dll -> Adware.SAHA : Cleaned with backup
C:\RECYCLER\NPROTECT\00018246.exe -> Adware.SAHA : Cleaned with backup
C:\RECYCLER\NPROTECT\00018247.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP101\A0002684.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP101\A0002902.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP102\A0002912.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP103\A0002988.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP103\A0003033.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP103\A0003110.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP104\A0003126.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP104\A0003235.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP64\A0001757.exe -> TrojanDownloader.Small.aaq : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP64\A0001778.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP64\A0001785.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP64\A0001786.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP64\A0001831.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP65\A0001851.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP65\A0001864.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP66\A0001886.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0001922.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0001923.exe -> TrojanDownloader.Agent.qq : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0001924.exe -> TrojanDownloader.Agent.qq : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0001926.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0001928.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0001931.DLL -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0001934.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP69\A0001981.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP70\A0002022.dll -> TrojanDownloader.Agent.li : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP70\A0002024.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP79\A0002055.dll -> TrojanDownloader.Agent.li : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP89\A0002108.dll -> TrojanDownloader.Agent.li : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP90\A0002116.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP90\A0002120.dll -> TrojanDownloader.Agent.li : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP90\A0002127.exe -> TrojanDownloader.Agent.qu : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP94\A0002144.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP96\A0002264.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP99\A0002364.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP99\A0002446.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\dinst.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\jcnpbchao.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\lqezwwa.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\nph008cp.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\SYSTEM\Loader.dll -> TrojanDownloader.Agent.li : Cleaned with backup
C:\WINDOWS\SYSTEM32\bwvbdt.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\csvgbd.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\igfxtray.exe -> TrojanDropper.Paradrop.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\jjmzmmk.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\lgvi.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\mlvgxiz.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsd2.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\pqyiwef.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\prkbvnz.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\qbnpj.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\qqpzcmj.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\redtrsha.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\SYSTEM32\richup.exe -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\SYSTEM32\td9tnkft.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\SYSTEM32\tvqhv.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\umch.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\uvifrqq.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\wrefxtb.exe -> TrojanDownloader.Small.ayl : Cleaned with backup
C:\WINDOWS\SYSTEM32\xgppkg.exe -> TrojanDownloader.Small.ayl : Cleaned with backup


::Report End


Hijack This Log:
Logfile of HijackThis v1.99.1
Scan saved at 3:39:10 PM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Lavasoft\Hijack This\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.pacif...m/src/login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121217557698
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4FADFC3-586A-4B33-80C7-18205B92D2F5}: NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks again.
  • 0

#4
nwyankee
Posted 03 August 2005 - 04:49 PM

nwyankee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
One other question...it seems like everyone here uses ewido in their fixes. Do you recommend buying the product rather than just the 14 day trial for future protection?
Thanks!
  • 0

#5
rstones12
Posted 03 August 2005 - 07:22 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
nwyankee,

Good job on that. In regards to ewido, personally I think it is a great program. I think most if not all of the staff would agree... :tazz:

The choice is up to you if you would like to purchase the program, here is a link to features and benefits of ewido security suite. If you are asking for my recommendation I would say yes, I have it installed on my system as well.

http://www.ewido.net/en/features/

We have a few things left to do...

Download FindIt's.zip to your desktop: http://forums.net-integration.net/index.ph...=post&id=142443
  • Create a new folder on your desktop
  • Unzip/extract the files inside that folder you created on your desktop.
  • Open the folder and run FindIt's.bat and wait for notepad to open a text file. It may take awhile so please be patient ...
  • Then post the results here along with a new HJT log by using Add Reply
Thanks,
rstones12
  • 0

#6
nwyankee
Posted 03 August 2005 - 07:49 PM

nwyankee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Find It:

Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 08/03/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first


»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\System32\47DVAKAP.INI
* SAHAgent C:\WINDOWS\System32\NPH008CP.INI
* SAHAgent C:\WINDOWS\System32\TD9TNKFT.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is E04B-284B

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is E04B-284B

Directory of C:\WINDOWS\system32

07/13/2005 09:27 PM 3,262 bose.ico
07/13/2005 09:27 PM 3,262 kmart.ico
07/28/2005 01:26 AM 3,262 sony psp1.ico
07/28/2005 01:27 AM 19,942 virushunter4.ico
07/28/2005 01:26 AM 3,262 xboxab.ico
5 File(s) 32,990 bytes
0 Dir(s) 22,926,602,240 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 6:47:01 PM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://webmail.pacif...m/src/login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.dell.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check]

C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec

Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.micros.../client/wuweb_s

ite.cab?1121217557698
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...icro.com/housec

all/xscan53.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{D4FADFC3-586A-4B33-80C7-18205B92D2F5}:

NameServer = 209.244.0.3 209.244.0.4
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec

Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


I'll definitely invest in helping you guys out and ewido then. I ran AdAware after my last reply (after the fixes) and there was still one VX2 file. Will that die with time as well or does that require a different fix.
Thanks!
  • 0

#7
rstones12
Posted 03 August 2005 - 10:03 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
nwyankee,

OK a few things to do: When you ran Ad-Aware what was the file name and path that it gave for infection??

You can do this as well, find the file and let me know the following:

Name
Size
Date Created
Modified

DO NOT click on the file...!!

Now lets do the following:

Please download Pocket Killbox
Click Here to download Pocket Killbox by Option^Explicit.
Unzip the program and save it to your desktop, dont run it just yet.


Now lets run Killbox
  • Double-click on Killbox.exe to start the program.
  • In the killbox program, select the Delete on Reboot option.
  • In the field labeled Full Path of File to Delete enter the file paths listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure!):

C:\WINDOWS\System32\47DVAKAP.INI
C:\WINDOWS\System32\NPH008CP.INI
C:\WINDOWS\System32\TD9TNKFT.INI
C:\WINDOWS\system32\bose.ico
C:\WINDOWS\system32\kmart.ico
C:\WINDOWS\system32\sony psp1.ico
C:\WINDOWS\system32\virushunter4.ico
C:\WINDOWS\system32\xboxab.ico
  • Press the button that looks like a red circle with a white X in it after each one.
  • When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button.
  • Do this after each one until you have entered the LAST file path I have listed above.
  • After that LAST file path has been entered, press the YES button at both prompts so that your computer restarts.
  • If you receive a message and your computer does not restart automatically, please restart it manually.
Once you have rebooted your system post back a new HJT log by using Add Reply
In Notepad select Format and uncheck Wordwrap.

Thanks,
rstones12
  • 0

#8
nwyankee
Posted 04 August 2005 - 12:27 AM

nwyankee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ok, I lied. I deleted the infections when I ran AdAware earlier, and now after multiple re-scans it can't find VX2 or anything else bad. Sorry for the scare.

Logfile of HijackThis v1.99.1
Scan saved at 11:21:21 PM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Dell\AccessDirect\DadTray.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Lavasoft\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.pacif...m/src/login.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1121217557698
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
  • 0

#9
rstones12
Posted 04 August 2005 - 12:36 AM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
nwyankee,

You HJT log looks good, how are things running??

Thanks,
rstones12
  • 0

#10
nwyankee
Posted 04 August 2005 - 04:40 PM

nwyankee

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Things are running like normal now. Thanks a million!
  • 0

#11
rstones12
Posted 04 August 2005 - 08:48 PM

rstones12

    Malware Expert

  • Retired Staff
  • 3,731 posts
nwyankee,

You are welcome, glad to help out... :tazz:

Please take some time and read through the following information..

Here are some items that you will want to add to your to-do list:

These are some tips to reduce the potential for Spyware/Adware/Virus infection in the future:
I would strongly recommend reviewing and installing the following applications if you dont currently have them running on your system:

Use Anti-Virus Software
It is very important that your computer has Anti-Virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online and stand-alone Anti-Virus programs:
Virus, Spyware, and Malware Protection and Removal Resources

Update your AntiVirus Software
It is imperitive that you update your Anti-Virus software at least once a week (Even more if you wish). If you do not update your Anti-Virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls

Spyware/Adware Detection and Removal Programs:
Understanding Spyware, Browser Hijackers, and DialersAd-Aware SEIf you suspect that you have spyware installed on your computer, here are instructions on how to setup and use Ad-Aware SE
How to use Ad-Aware SE to remove Spyware
[/list]Spybot S&DIf you suspect that you have spyware installed on your computer, here are instructions on how to setup and use Spybot S&D
How to use Spybot to remove Spyware
[/list]I strongly recommend using both of these programs to catch most spyware/adware

Prevention Programs:
  • SpywareBlaster -- SpywareBlaster will prevent spyware from being installed.
  • SpywareGuard -- SpywareGuard offers realtime protection from spyware installation attempts.
  • IE/Spyad -- IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts File -- The MVPS Hosts File replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
  • Google Toolbar -- Get the free Google Toolbar to help stop pop up windows.
Other Necessary Programs:
  • A More Secure Browser
    Internet Explorer is not the most secure and best browser.
    There are safer and better alternatives available. I recommend using Firefox
Be sure to also keep up with Windows and IE updates.

Windows Security and Critical Updates
http://v4.windowsupdate.microsoft.com/en/default.asp

Internet Explorer Security and Critical Updates
http://www.microsoft.com/windows/ie/default.asp

And also see TonyKlein's good advice
So how did I get infected in the first place?

Update all these Programs Regularly:Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released. Follow this list and your potential for being infected again will reduce dramatically.
Thanks,
rstones12
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP