Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

WinFixer 2005 popups - driving me insane! [RESOLVED]


  • This topic is locked This topic is locked

#16
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Did you delete the firedaemon.exe file?

Let's try another scan that is java-based:

Please go to the TrendMicro website HERE
  • Click Check my PC now
  • On the next page it will verify that Trendmicro scan can be run.
  • There should be 4 green checkmarks, if any of them stay a red X please let me know which one(s)
  • Read the agreement, then click continue with Next Step
  • Wait for the scanner to load, if you get a security warning about the Trend-Micro applet, click YES
  • It will install "Core-Packages", then an applet will open up.
  • Let it update Trend-Micro, then please run a FULL system scan (put a check next to your hard drives - C and D (if applicable).)
  • Save the results and post them here.

  • 0

Advertisements


#17
3hp12

3hp12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I ran the Trend Micro scan and 1 infection was found here:

TROJ_VLINCE.A(1) C:\Documents and Settings\Owner\Desktop\l2mfix\backup

It was unable to clean the infection. I wasn't sure how to save the results, it didn't give me that option.

No I did not delete Firedaemom.exe. I cannot seem to find the FireDaemon file. I looked here (C:\WINDOWS\security\FireDaemon.exe) but it doesn't exist. Do I need to remove it?

By the way, I haven't had any pop-ups in awhile. Whatever you're doing, it's sure helping! :tazz:

Here's an updated Hijink log:


Logfile of HijackThis v1.99.1
Scan saved at 4:03:11 PM, on 07/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\security\netclient.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120529115093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120671831265
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FireDaemon Service: msagent (msagent) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: FireDaemon Service: netclient (netclient) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: FireDaemon Service: winsecure (winsecure) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
  • 0

#18
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
That's good, Trendmicro only found a file we removed earlier in the backup folder (you can delete that whole folder when we're done :tazz: )

hmm

Set your system to SHOW HIDDEN FILES

Then, look to see if any of these files exist:

C:\WINDOWS\security\msagent.exe
C:\WINDOWS\security\netclient.exe
C:\WINDOWS\security\winsecure.exe
C:\WINDOWS\security\FireDaemon.exe

Let me know if you find any of them now that hidden files are showing.

Also, let me know the names of any other files in that security folder, if there are any.

Edited by bananafanafo, 07 August 2005 - 04:21 PM.

  • 0

#19
3hp12

3hp12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
Of the items that you had inquired about, I can only see that netclient.exe is in this folder. Lots of other files here in the C:\WINDOWS\security Folder:

BugSlayerUtil.dll
cache.001
cache.001 (text document)
cache.001.bkup
cache.002
cache.003
cache.004
cache.004.bkup
cache.004.tmp
cache.005
cygwin1.dll
FireDaemon.dtd
FireDaemonRT.dll
libeay32.dll
libssl32.dll
libxml2.dll
msagent.xml
msconf.exe
netclient.exe
netclient.xml
netconfig.dll
ssleay32.dll
SvcAdmin.dll
sysproc.dll
weblog32.exe
winsecure.xml
winsecure.dll
Database Folder:
secedit.sdb
update.sdb
logs Folder:
backup.txt
nc.exe
scecomp.old
SceRoot.txt
scesetup.txt
schk.exe
tar.exe
update.txt
wget.exe
templates Folder:
hisecdc.txt
hisecws.txt
setup security.txt
  • 0

#20
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
I don't like that way some of those files look...

Please go here: Jotti Virus Scan

Click the "browse" button and upload each of these files:

C:\WINDOWS\security\netclient.exe
C:\WINDOWS\security\winsecure.dll


Click "Open", then click the "Submit" button. Copy the results for each one and paste them here.
  • 0

#21
3hp12

3hp12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
File: netclient.exe
Status: INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
MD5 e5c854620aedfa59b784b5231e5a448f
Packers detected: ASPACK
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:RemoteAdmin.Win32.NetClient.a
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

File: winsecure.dll
Status: OK
MD5 b70e205e2244caf4db556ba77029d143
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing
  • 0

#22
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Does anyone else use this computer who may have put FireDaemon on it?

Open Ewido Security Suite
  • You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.

Once the updates are installed do the following:
  • Reboot into Safe Mode, you can do this by restarting your computer, then contiunally tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
  • Now open Ewido Security Suite.
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
Reboot into normal mode.

Post the log from Ewido and a new HiJackThis log.

Edited by bananafanafo, 08 August 2005 - 11:31 AM.

  • 0

#23
3hp12

3hp12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
No one else in my house even knows what "downloading" means. I'm the only user.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:23:15 PM, 08/08/2005
+ Report-Checksum: A6AEE4B7

+ Scan result:

C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad-logics[1].txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkoahc5iko.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfkouiazsbq.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmyqgcpmgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfmywic5cco.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkogjdzsao.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjl4wocjkep.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlikgdpmkq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjlyakdjggq.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmysocjgkp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjmyspazkcp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyalajcfp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnygodpmgo.stats.esomniture[1].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjnyonajcgo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@rotator.adjuggler[1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@web4.realtracker[2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@www.myaffiliateprogram[1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/JZDR500.DLL -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/ksdhe.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/mgi.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/ncmkcert.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/nxtevent.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/tNpi32.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\Owner\Desktop\l2mfix\backup.zip/wxnsock.dll -> Spyware.Look2Me : Error during cleaning


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 5:25:03 PM, on 08/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120529115093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120671831265
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FireDaemon Service: msagent (msagent) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: FireDaemon Service: netclient (netclient) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: FireDaemon Service: winsecure (winsecure) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
  • 0

#24
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Then we will definitely get rid of it :tazz:

*Open HijackThis.
*Click Open the Misc Tools section
*Click Open Uninstall Manager
*Click Save List - Save it anywhere.
*A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.
  • 0

#25
3hp12

3hp12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
ACDSee for PENTAX
Adobe Acrobat 5.0
ArcSoft ShowBiz
ArcSoft Software Suite
Atomic Pop
Azureus
Betty Bad
Blackhawk Striker
Blasterball 2
Blasterball Wild
Business Plan Pro 2005
CleanUp!
DAEMON Tools
Dark Orbit
Detto IntelliMover Demo
Disney's Lilo and Stitch Pinball
DivX
DivX Player
DLA
easy Internet sign-up
ewido security suite
GemMaster 2
Google Toolbar for Internet Explorer
Hijackthis 1.99.1
HijackThis 1.99.1
hp center
HP Instant Support
HP Memories Disc
HP Photo and Imaging 1.1 - Photosmart Cameras
hp toolkit
Inactive HP Printer Drivers (Remove only)
Intel® 845G Chipset Graphics Driver Software
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
KBD
Kublox
Lernout & Hauspie TruVoice American English TTS Engine
LiveReg (Symantec Corporation)
LiveUpdate 1.7 (Symantec Corporation)
Messenger Plus! 3
Microsoft Office Professional Edition 2003
ML-1710 Series
MSN Messenger 7.0
MUSICMATCH Jukebox
MyDVD
Norton AntiVirus 2002
NVIDIA Windows 2000/XP Display Drivers
Palm Desktop
Palo Alto Software's Application Manager 8.1
Panda ActiveScan
PC-Doctor for Windows
PigPen
PS2
Python 2.2 combined Win32 extensions
Python 2.2.1
Quicken Financial Center
QuickTime
RealPlayer
RecordNow
RecordNow Update Manager
S3Display
S3Gamma2
S3Info2
S3Overlay
SabreWing 2
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
Snowboard Extreme
Space Rocks
Speedway
Spybot - Search & Destroy 1.4
TrojanHunter 4.2
Update for Windows XP (KB898461)
Virtual Warfare
Winamp (remove only)
WinAVI VideoConverter
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WordPerfect Productivity Pack
WordPerfect Productivity Pack
  • 0

Advertisements


#26
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Sorry for the wait. Another staff expert would like to take a look at those files. :tazz:

Download sfp and unzip it to your desktop.
  • Double click sfp.exe thats on your desktop
  • In step one, please copy and paste in the following line:
    • C:\WINDOWS\security\*.*
  • Click "Continue"
  • sfp will create a cab file on your desktop called requested-files (and the date)
  • please email the cab file to submit@atribune.org

  • 0

#27
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Ok :tazz:

Please reboot into Safe Mode.

Once in Safe Mode, go into C:\Windows\Security folder.

Do NOT delete any files out of the Logs, Database, and Templates folders - these are legit.

Delete the following files, directly out of the security folder:

BugSlayerUtil.dll
cygwin1.dll
FireDaemon.dtd
FireDaemonRT.dll
libeay32.dll
libssl32.dll
libxml2.dll
msagent.xml
msconf.exe
netclient.exe
netclient.xml
netconfig.dll
ssleay32.dll
SvcAdmin.dll
sysproc.dll
weblog32.exe
winsecure.xml
winsecure.dll

Let me know if you have any problems deleting any of the files ;)
  • 0

#28
3hp12

3hp12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
I deleted all of the files without any problems. Am I all clean??

Logfile of HijackThis v1.99.1
Scan saved at 12:48:35 PM, on 09/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_04\bin\javaw.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca6.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ca6.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ca6.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] c:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....204&clcid=0x409
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120529115093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1120671831265
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: FireDaemon Service: msagent (msagent) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: FireDaemon Service: netclient (netclient) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: FireDaemon Service: winsecure (winsecure) - Unknown owner - C:\WINDOWS\security\FireDaemon.exe (file missing)
  • 0

#29
Michelle

Michelle

    Malware Removal Goddess

  • Retired Staff
  • 8,928 posts
Almost :tazz:

There is another program I would like you to run, then we will delete the FireDaemon service off of your system

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

  • 0

#30
3hp12

3hp12

    Member

  • Topic Starter
  • Member
  • PipPip
  • 30 posts
********
1:16 PM: |··· Start of Session, August 9, 2005 ···|
1:16 PM: Spy Sweeper started
1:16 PM: Sweep initiated using definitions version 512
1:16 PM: Starting Memory Sweep
1:18 PM: Memory Sweep Complete, Elapsed Time: 00:01:45
1:18 PM: Starting Registry Sweep
1:18 PM: Found Adware: icannnews
1:18 PM: HKCR\activexctrl\ (3 subtraces) (ID = 169450)
1:18 PM: HKCR\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}\ (3 subtraces) (ID = 169451)
1:18 PM: HKCR\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169454)
1:18 PM: HKCR\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169455)
1:18 PM: HKCR\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169456)
1:18 PM: HKLM\software\classes\activexctrl\ (3 subtraces) (ID = 169457)
1:18 PM: HKLM\software\classes\clsid\{3bfadce2-1141-4b81-8878-49af625f0fdc}\ (3 subtraces) (ID = 169458)
1:18 PM: HKLM\software\classes\interface\{980ad470-04ea-4d1d-bd26-e178b7bda6d8}\ (8 subtraces) (ID = 169461)
1:18 PM: HKLM\software\classes\interface\{fd39937a-c583-4aac-9332-8a3e44988a67}\ (8 subtraces) (ID = 169462)
1:18 PM: HKLM\software\classes\typelib\{ee5ac3d6-6f43-4047-af0a-d66fc2cf8f42}\ (9 subtraces) (ID = 169463)
1:18 PM: Registry Sweep Complete, Elapsed Time:00:00:08
1:18 PM: Starting Cookie Sweep
1:18 PM: Found Spy Cookie: 2o7.net cookie
1:18 PM: owner@2o7[1].txt (ID = 1957)
1:18 PM: Found Spy Cookie: about cookie
1:18 PM: owner@4wheeldrive.about[1].txt (ID = 2038)
1:18 PM: owner@about[2].txt (ID = 2037)
1:18 PM: Found Spy Cookie: yieldmanager cookie
1:18 PM: owner@ad.yieldmanager[1].txt (ID = 3751)
1:18 PM: Found Spy Cookie: adknowledge cookie
1:18 PM: owner@adknowledge[2].txt (ID = 2072)
1:18 PM: Found Spy Cookie: hbmediapro cookie
1:18 PM: owner@adopt.hbmediapro[2].txt (ID = 2768)
1:18 PM: Found Spy Cookie: addynamix cookie
1:18 PM: owner@ads.addynamix[1].txt (ID = 2062)
1:18 PM: Found Spy Cookie: joetec.net cookie
1:18 PM: owner@ads.joetec[2].txt (ID = 2890)
1:18 PM: Found Spy Cookie: pointroll cookie
1:18 PM: owner@ads.pointroll[2].txt (ID = 3148)
1:18 PM: Found Spy Cookie: advertising cookie
1:18 PM: owner@advertising[1].txt (ID = 2175)
1:18 PM: Found Spy Cookie: falkag cookie
1:18 PM: owner@as-us.falkag[2].txt (ID = 2650)
1:18 PM: Found Spy Cookie: atlas dmt cookie
1:18 PM: owner@atdmt[2].txt (ID = 2253)
1:18 PM: Found Spy Cookie: belnk cookie
1:18 PM: owner@ath.belnk[1].txt (ID = 2293)
1:18 PM: Found Spy Cookie: atwola cookie
1:18 PM: owner@atwola[1].txt (ID = 2255)
1:18 PM: owner@belnk[2].txt (ID = 2292)
1:18 PM: Found Spy Cookie: zedo cookie
1:18 PM: owner@c4.zedo[1].txt (ID = 3763)
1:18 PM: Found Spy Cookie: 360i cookie
1:18 PM: owner@ct.360i[1].txt (ID = 1962)
1:18 PM: owner@dist.belnk[1].txt (ID = 2293)
1:18 PM: Found Spy Cookie: excite cookie
1:18 PM: owner@excite[1].txt (ID = 2631)
1:18 PM: Found Spy Cookie: expage cookie
1:18 PM: owner@expage[1].txt (ID = 2637)
1:18 PM: Found Spy Cookie: fastclick cookie
1:18 PM: owner@fastclick[1].txt (ID = 2651)
1:18 PM: Found Spy Cookie: go.com cookie
1:18 PM: owner@go[1].txt (ID = 2728)
1:18 PM: owner@joetec[1].txt (ID = 2889)
1:18 PM: owner@movies.go[1].txt (ID = 2729)
1:18 PM: Found Spy Cookie: revenue.net cookie
1:18 PM: owner@revenue[2].txt (ID = 3257)
1:18 PM: Found Spy Cookie: servedby advertising cookie
1:18 PM: owner@servedby.advertising[1].txt (ID = 3335)
1:18 PM: Found Spy Cookie: spylog cookie
1:18 PM: owner@spylog[2].txt (ID = 3415)
1:18 PM: Found Spy Cookie: targetnet cookie
1:18 PM: owner@targetnet[1].txt (ID = 3489)
1:18 PM: Found Spy Cookie: tribalfusion cookie
1:18 PM: owner@tribalfusion[1].txt (ID = 3589)
1:18 PM: owner@www.ads.joetec[1].txt (ID = 2890)
1:18 PM: Found Spy Cookie: megago cookie
1:18 PM: owner@www.rockin-the-rockies.freeservers[1].txt (ID = 2983)
1:18 PM: Found Spy Cookie: adserver cookie
1:18 PM: owner@z1.adserver[1].txt (ID = 2142)
1:18 PM: owner@zedo[2].txt (ID = 3762)
1:18 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
1:18 PM: Starting File Sweep
1:18 PM: Found Adware: websearch toolbar
1:18 PM: c:\program files\common files\wintools (5 subtraces) (ID = -2147480046)
1:18 PM: Found Adware: shopathomeselect
1:18 PM: c:\windows\system32\sahimages (19 subtraces) (ID = -2147480329)
1:18 PM: Found Trojan Horse: 2nd-thought
1:18 PM: c:\windows\system32\newmsrdk (ID = -2147481534)
1:18 PM: Found Adware: dealhelper
1:18 PM: nupsobu3.xml (ID = 57652)
1:19 PM: Found Adware: ps2
1:19 PM: ps2.exe (ID = 72826)
1:19 PM: nupsobu.xml (ID = 57649)
1:20 PM: nupsobk1.xml (ID = 57647)
1:20 PM: nupsobk2.xml (ID = 57648)
1:20 PM: ps2.bat (ID = 72826)
1:20 PM: nupsobu2.xml (ID = 57651)
1:20 PM: ps2.bat (ID = 72826)
1:21 PM: nupsobk.xml (ID = 57646)
1:21 PM: ps2.bat (ID = 72826)
1:21 PM: ps2.bat (ID = 72826)
1:21 PM: nupsobu1.xml (ID = 57650)
1:21 PM: ps2.bat (ID = 72826)
1:22 PM: ps2.bat (ID = 72826)
1:22 PM: Found Adware: clearsearch
1:22 PM: 66708108.txt (ID = 116398)
1:22 PM: Found Adware: abetterinternet
1:22 PM: abiuninst.htm (ID = 83087)
1:22 PM: mozhiqu2.xml (ID = 57651)
1:22 PM: mozhiqu1.xml (ID = 57650)
1:22 PM: mozhiqu.xml (ID = 57649)
1:22 PM: mozhiqk2.xml (ID = 57648)
1:22 PM: mozhiqk1.xml (ID = 57647)
1:22 PM: mozhiqk.xml (ID = 57646)
1:22 PM: ps2.exe (ID = 72826)
1:22 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || PS2 (ID = 0)
1:22 PM: ps2.bat (ID = 72826)
1:22 PM: gah95on6.ini (ID = 75741)
1:22 PM: ps2.bat (ID = 72826)
1:22 PM: ps2.bat (ID = 72826)
1:22 PM: fernbku.xml (ID = 57649)
1:22 PM: fernbku1.xml (ID = 57650)
1:22 PM: fernbku2.xml (ID = 57651)
1:22 PM: fernbkk.xml (ID = 57646)
1:22 PM: fernbkk1.xml (ID = 57647)
1:22 PM: fernbkk2.xml (ID = 57648)
1:22 PM: wtoolsp.cfg (ID = 87639)
1:22 PM: wtoolsr.cfg (ID = 87722)
1:22 PM: mozhiqdk.xml (ID = 57645)
1:22 PM: fernbkdk.xml (ID = 57645)
1:22 PM: 67599164.bin (ID = 52512)
1:22 PM: 23353442.bin (ID = 116395)
1:22 PM: 40754594.txt (ID = 52512)
1:22 PM: nupsobdk.xml (ID = 57645)
1:22 PM: bln02nqv.ini (ID = 75683)
1:22 PM: 70tovmto.ini (ID = 75621)
1:22 PM: File Sweep Complete, Elapsed Time: 00:04:29
1:22 PM: Full Sweep has completed. Elapsed time 00:06:27
1:22 PM: Traces Found: 176
1:23 PM: Removal process initiated
1:23 PM: Quarantining All Traces: icannnews
1:23 PM: Quarantining All Traces: 2o7.net cookie
1:23 PM: Quarantining All Traces: about cookie
1:23 PM: Quarantining All Traces: yieldmanager cookie
1:23 PM: Quarantining All Traces: adknowledge cookie
1:23 PM: Quarantining All Traces: hbmediapro cookie
1:23 PM: Quarantining All Traces: addynamix cookie
1:23 PM: Quarantining All Traces: joetec.net cookie
1:23 PM: Quarantining All Traces: pointroll cookie
1:23 PM: Quarantining All Traces: advertising cookie
1:23 PM: Quarantining All Traces: falkag cookie
1:23 PM: Quarantining All Traces: atlas dmt cookie
1:23 PM: Quarantining All Traces: belnk cookie
1:23 PM: Quarantining All Traces: atwola cookie
1:23 PM: Quarantining All Traces: zedo cookie
1:23 PM: Quarantining All Traces: 360i cookie
1:23 PM: Quarantining All Traces: excite cookie
1:23 PM: Quarantining All Traces: expage cookie
1:23 PM: Quarantining All Traces: fastclick cookie
1:23 PM: Quarantining All Traces: go.com cookie
1:23 PM: Quarantining All Traces: revenue.net cookie
1:23 PM: Quarantining All Traces: servedby advertising cookie
1:23 PM: Quarantining All Traces: spylog cookie
1:23 PM: Quarantining All Traces: targetnet cookie
1:23 PM: Quarantining All Traces: tribalfusion cookie
1:23 PM: Quarantining All Traces: megago cookie
1:23 PM: Quarantining All Traces: adserver cookie
1:23 PM: Quarantining All Traces: websearch toolbar
1:23 PM: Quarantining All Traces: shopathomeselect
1:23 PM: Quarantining All Traces: 2nd-thought
1:23 PM: Quarantining All Traces: dealhelper
1:23 PM: Quarantining All Traces: ps2
1:23 PM: Quarantining All Traces: clearsearch
1:23 PM: Quarantining All Traces: abetterinternet
1:23 PM: Removal process completed. Elapsed time 00:00:29
********
1:15 PM: |··· Start of Session, August 9, 2005 ···|
1:15 PM: Spy Sweeper started
1:16 PM: |··· End of Session, August 9, 2005 ···|
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP