Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Psguard strike [RESOLVED]

Started by ratwar , Aug 09 2005 08:29 AM

  • This topic is locked This topic is locked

#1
ratwar
Posted 09 August 2005 - 08:29 AM

ratwar

    New Member

  • Member
  • Pip
  • 9 posts
Hi Everyone,

I got hit by the PSguard stuff yesterday. Don't quite know how since I was running multiple IE windows and I have Norton, Spybot etc. Anyway I did a search and read a number of posts here and downloaded and installed all the recommended software. I haven't run anything yet except Hijackthis which is what you want, right? I have all the instructions printed out and just need some help in finding out which problems to fix in the SAFE mode. Also, I'm running 2000 and I would like to avoid any of these problems - if possible ;) (this is, however, the only time I've had any such issue) - can you recommend any software that I can install and keep?

BTW - I think you folks are just fabulous...

Thank you so much - don't quite know what I would do else.... :tazz: Cindy

Here is the Hijack file

Logfile of HijackThis v1.99.1
Scan saved at 9:38:32 AM, on 8/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\gearsec.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\system32\intell32.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINNT\system32\intell32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\system32\shnlog.exe
C:\WINNT\system32\intmon.exe
C:\WINNT\system32\LogFiles\DA7021900.so
C:\Program Files\Juno\bin\juno.exe
C:\WINNT\popuper.exe
C:\WINNT\system32\intmonp.exe
C:\WINNT\system32\msole32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebsl...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hpDD97.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINNT\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\fltmgr.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dckar.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7F2E7494-0C1F-48F9-813C-5C77EB841054}: NameServer = 64.136.28.120 64.136.20.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dckar.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dckar.com
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
Rawe
Posted 09 August 2005 - 08:41 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
ratwar, hello and welcome to GTG! :)

Ok, I can see you have problems.. Obviously. :tazz:

Before you do any fix process, we will need to do the following.

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it;
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of fltmgr.dll
  • Select every instance of fltmgr.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>.
Reboot. Run a new scan with HiJackThis and post a fresh log - we'll go after PSguard next.

- Rawe ;)

Edited by Rawe, 09 August 2005 - 08:41 AM.

  • 0

#3
ratwar
Posted 09 August 2005 - 09:52 AM

ratwar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Rawe,

Thank you very much for this... I really do appreciate this... :tazz:

I did what you told me to do and here is the hijack file after that (there was one instance of the fltdr dll which I removed)....

Cindy...


Logfile of HijackThis v1.99.1
Scan saved at 11:41:51 AM, on 8/9/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\gearsec.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\shnlog.exe
C:\WINNT\popuper.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\system32\intmonp.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\WINNT\system32\intmon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINNT\system32\xpsp2fw.exe
C:\WINNT\system32\intell32.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebsl...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hpF01C.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINNT\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [RegSvr32] C:\WINNT\system32\msmsgs.exe
O4 - HKLM\..\Run: [intell32.exe] C:\WINNT\system32\intell32.exe
O4 - HKLM\..\Run: [PSGuard] C:\Program Files\PSGuard\PSGuard.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dckar.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dckar.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dckar.com
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
Rawe
Posted 09 August 2005 - 10:00 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, now we'll go safely after PSguard ;)

Please print these instructions out, or write them down, as you can't read them during the fix. Work through the process by reading it first, it makes it easier for both of us if you ask any possible question(s) before proceeding the fix.

Download smitRem.exe and save the file to your desktop.
Double-click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download CleanUp!

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Next, please reboot your computer in Safe Mode by doing the following;

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
===================================================
Run a scan with HiJackThis and check the following objects for removal;

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.bestwebslinks.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.bestwebsl...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.bestwebsl...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.bestwebslinks.com/
O2 - BHO: HP Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINNT\system32\hpF01C.tmp
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll

Close any other open windows and/or open browsers, making sure that only HiJackThis is running. Make sure that the above mentioned objects are all checked, then hit "Fix Checked".
===================================================

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a Full System Scan. Remove all it finds.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • Clean anything it finds.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

Using Windows Explorer, locate the following files and delete if present;

C:\WINNT\system32\wuclient.exe
C:\WINNT\web\related.htm
C:\WINNT\SYSTEM32\nwprovau.dll

When finished deleting;

Go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Run CleanUp! making sure to reboot when prompted!

Boot up into normal mode and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.

Let me know how's it running now.

- Rawe :tazz:
  • 0

#5
ratwar
Posted 10 August 2005 - 05:23 AM

ratwar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Rawe,

THank you so much for all this... It took some time for computer scans but I finally completed everything you had asked except for the following:

- I was unable to delete the "C:\WINNT\SYSTEM32\nwprovau.dll" - when I tried to do so, a message popped up saying that windows was using the file.

- There was no "Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info"". However, under the Web, there was Active Desktop Enabled checked and in the options window "Use current page" was checked. I unchecked the "use current page" but did not disable the "active Desktop". This got rid of that annoying background pop-up that I couldn't get rid of.

Panda did find a malicious script but did not delete it in the final step. Here are all the log files....

Ps. You're the best.... :tazz:

Cindy.

_____________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 7:05:27 AM, on 8/10/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\system32\gearsec.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\unzipped\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINNT\system32\wuclient.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dckar.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dckar.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dckar.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



smitRem log file
version 2.3

by noahdfear

The current date is: Tue 08/09/2005
The current time is: 12:57:03.46

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! ;)


_________________________________________________

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:30:53 PM, 8/9/2005
+ Report-Checksum: DBF9C04

+ Scan result:

C:\Documents and Settings\RT\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\e.exe -> Spyware.Searcher : Cleaned with backup
C:\Program Files\Juno\bin\getjuno.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\RECYCLER\NPROTECT\00140067.TXT -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\RECYCLER\NPROTECT\00141466.exe -> Trojan.Favadd.ai : Cleaned with backup
C:\RECYCLER\NPROTECT\00141501.TXT -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\NPROTECT\00141502.TXT -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\NPROTECT\00141503.TXT -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\NPROTECT\00141520.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00141521.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00141527.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00141529.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00141530.TXT -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\RECYCLER\NPROTECT\00141536.TXT -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\NPROTECT\00141538.TXT -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\NPROTECT\00141540.TXT -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\NPROTECT\00141542.TXT -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\RECYCLER\NPROTECT\00141544.TXT -> Spyware.Cookie.Sexlist : Cleaned with backup
C:\RECYCLER\NPROTECT\00141546.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00141548.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\NPROTECT\00141616.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\NPROTECT\00141617.TXT -> Spyware.Cookie.2o7 : Cleaned with backup
C:\WINNT\system32\editmstmf.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\fltmgr.dll -> Spyware.Searcher : Cleaned with backup
C:\WINNT\system32\I3apEUIcmcf.dll -> Spyware.Hijacker.Generic : Cleaned with backup


::Report End

_______________________________________________________


Incident Status Location

Virus:Trj/Downloader.ABR Disinfected Operating system
Adware:adware/popuper No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Remove Spyware.url
Dialer:dialer.bqw No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\CONC
Virus:Trj/Downloader.ARZ Disinfected C:\Program Files\Windows Media Player\wmplayer.exe
Virus:Trj/Downloader.MR Disinfected C:\sextxsp.chm
Virus:Trj/Downloader.ABR Disinfected C:\WINNT\system32\idratil.dll
Virus:Trj/Downloader.ABR Disinfected C:\WINNT\system32\lddsnd.dll
  • 0

#6
Rawe
Posted 10 August 2005 - 05:31 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again!

Ok, looks really good now.

Delete the following files if present (using Windows Explorer);

C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Remove Spyware.url
C:\sextxsp.chm
C:\WINNT\system32\idratil.dll
C:\WINNT\system32\lddsnd.dll

Empty your recycle bin.

Then,
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\Program Files\Windows Media Player\wmplayer.exe
  • Click on the submit button
  • Please post the results in your next reply.
- Rawe :tazz:
  • 0

#7
ratwar
Posted 10 August 2005 - 05:03 PM

ratwar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Rawe,

I didn't find any of the following files:

C:\sextxsp.chm :tazz:
C:\WINNT\system32\idratil.dll
C:\WINNT\system32\lddsnd.dll

And this was the response I got from the jyotti program...

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


Hope this makes some sense to you... ;)

Cindy...
  • 0

#8
Rawe
Posted 11 August 2005 - 01:06 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, let's see what Kaspersky can figure out ;)

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start to scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
- Rawe :tazz:
  • 0

#9
ratwar
Posted 11 August 2005 - 06:21 AM

ratwar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Rawe,

I ran the Kaspersky virus program and ... well, where did all these come from?

All of these look like quarantined Norton Antivirus stuff....

Regards and many many thanks for being so patient....

Cindy... :tazz:

__________________________________________________________________

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, August 11, 2005 08:20:43
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 11/08/2005
Kaspersky Anti-Virus database records: 134674
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 26069
Number of viruses found: 11
Number of infected objects: 84
Number of suspicious objects: 13
Duration of the scan process: 1511 sec

Infected Object Name - Virus Name
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\039A17E0.php Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\039D41DC.php Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\03B70196.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\046E40F6.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\047514EF.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05A61159.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\05DC05F5.htm Infected: Trojan-Downloader.JS.Psyme.ap
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\069873E6.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07711B11.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\09BF36D7.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0B76126C.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CAF27F9.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\0CDC4542.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1030442B.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1340703A.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\146E451E.htm Infected: Trojan-Downloader.JS.Psyme.ap
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\15F67B4F.php Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\16A8253A.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18301D79.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\18611343.htm Infected: Trojan-Downloader.JS.Psyme.ap
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1B7834C2.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\221D5C49.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2254260C.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27151D14.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2E754A9C.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\31E77C55.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\321D29A2.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\33AE44FF.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\36C5330E.dat Infected: Trojan-Proxy.Win32.Mitglieder.at
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\36C5330E.exe Infected: Trojan-Proxy.Win32.Mitglieder.at
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\37F57271.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3C2C7D5C.html Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\484B7D6C.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4AD434A7.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4C844AA2.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4C8C7885.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4ECD5073.htm Infected: Trojan-Downloader.JS.Psyme.ap
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4F021FCF.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\509602E0.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\511570C9.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\511C7FE9.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\55CF51A1.htm Infected: Trojan-Clicker.HTML.IFrame.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\569F1EB0.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\56C36C88.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\56D970E1.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\56F76AC0.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58165984.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58375906.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58617AD8.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\589270A2.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\58CF4362.php Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\59AF3569.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\59CF5945.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5AB4544A.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5D826933.htm Infected: Exploit.HTML.IframeBof
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5EA92087.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F2F59F3.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F694DB3.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5FBD4E63.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5FC608FF.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\600F2D08.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\603722D0.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\612271CD.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\624B5E86.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\63E13099.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66133310.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66B6665C.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66EE301F.htm Infected: Trojan-Downloader.JS.Small.d
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67C52DDC.jpg Infected: Exploit.Win32.MS04-028.gen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67C52DDC.tiff Infected: Exploit.Win32.MS04-028.gen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67D255CE.bmp Infected: Exploit.Win32.MS04-028.gen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67E27D12.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67E327BC.pif Infected: Exploit.Win32.MS04-028.gen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67EC25B1.ico Infected: Exploit.Win32.MS04-028.gen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\67F623A6.gif Infected: Exploit.Win32.MS04-028.gen
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\680A74E6.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6940343B.htm Infected: Exploit.HTML.IframeBof
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A1F2FCA.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6DEB56AB.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6EC67572.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6F5A0A18.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\71810A97.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\72895374.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\73B47833.htm Infected: Trojan-Downloader.JS.Psyme.ap
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74A45E37.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77656826.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77D725A8.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\786A0706.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\79B25A7F.htm Infected: Exploit.VBS.Phel.a
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7AA9648E.htm Infected: Exploit.HTML.ObjData
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7D024D21.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7D121F0F.gif Infected: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7D3527BE.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7D946956.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7DA86540.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7E3B143C.htm Suspicious: Exploit.HTML.Mht
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7FA648AD.htm Suspicious: Exploit.HTML.Mht

Scan process completed.
  • 0

#10
Rawe
Posted 11 August 2005 - 08:37 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, let's do couple of things more and we might be done! ;)

Again, you might want to print this set of instructions out and ask any question(s) before proceeding.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:[list]
  • Click "Next", read the agreement, Click "Next"
  • Choose "Custom" click "Next".
  • Leave the default installation directoy as it is, then click "Next".
  • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
  • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
  • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
Disable SpySweeper Shields
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Once the definitions are installed and shields disabled, exit SpySweeper.
Launch your Norton Anti-virus. Remove everything from it's virus vault (quarantine), if it contains anything.

Run CleanUp! but DON'T reboot yet.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, locate the following folder and delete it's content (Not the folder itself, only everything inside it);

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\

Empty recycle bin.

Launch SpySweeper;
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Now reboot back to normal mode.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".

Post me a fresh HiJackThis log along with the SpySweeper session log.

- Rawe :tazz:
  • 0

Advertisements

#11
ratwar
Posted 12 August 2005 - 04:43 AM

ratwar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Rawe.... :tazz:

I just wanted to make sure about something. I have downloaded the spysweeper and installed it and updated the definitions and removed the shields.

Then you asked me to run norton antivirus and remove anything in the quarantine bin:

Launch your Norton Anti-virus. Remove everything from it's virus vault (quarantine), if it contains anything.


I went to Norton Anti-virus and under reports - quarantined items I found the following:

quarantined items 0
backup items 97

Do I delete all of those?

Regards.

Cindy.
  • 0

#12
Rawe
Posted 12 August 2005 - 08:55 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
I don't think you need to, just empty this folder in Safe Mode as I asked you to;
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\

- Rawe :tazz:
  • 0

#13
ratwar
Posted 12 August 2005 - 04:42 PM

ratwar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Rawe,

There is no "System Restore" tab on my "Control Panel" Properties location. I have the following tabs:

General
Network Identification
Hardware
User Profiles
Advanced

I went through each of them to see if there was an option for System Restore and also checked the Win 2000 help and I couldn't find anything....

:tazz:

;) Cindy....
  • 0

#14
Rawe
Posted 13 August 2005 - 02:59 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Sorry, you can say I'm idiot or anything you want to :tazz:

I AGAIN forgot that you're using win 2000. It doesn't have system restore. Go ahead and run SpySweeper in Safe Mode and forget the System restore steps.
  • 0

#15
ratwar
Posted 13 August 2005 - 07:53 AM

ratwar

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Rawe,

No my friend - you have turned what could have been a terribly unpleasant experience into something that is just routine.

It has been a pleasure to talk to you... :tazz:

I think we are OK now - here are the logs you wanted... Also, what can I do to protect the computer from any future such things....

Regards..... ;) Cindy.


________________________________________________________________
********
9:33 AM: |··· Start of Session, Saturday, August 13, 2005 ···|
9:33 AM: Spy Sweeper started
9:33 AM: Sweep initiated using definitions version 514
9:33 AM: Starting Memory Sweep
9:33 AM: Memory Sweep Complete, Elapsed Time: 00:00:31
9:33 AM: Starting Registry Sweep
9:33 AM: Found Adware: dapsol dialer
9:33 AM: HKU\S-1-5-21-1644491937-583907252-839522115-1000\software\microsoft\internet explorer\main\ || conc (ID = 124673)
9:33 AM: Registry Sweep Complete, Elapsed Time:00:00:05
9:33 AM: Starting Cookie Sweep
9:33 AM: Found Spy Cookie: 2o7.net cookie
9:33 AM: rt@2o7[2].txt (ID = 1957)
9:33 AM: Found Spy Cookie: centrport net cookie
9:33 AM: rt@centrport[1].txt (ID = 2374)
9:33 AM: Found Spy Cookie: paycounter cookie
9:33 AM: rt@paycounter[1].txt (ID = 3115)
9:33 AM: Found Spy Cookie: serving-sys cookie
9:33 AM: rt@serving-sys[2].txt (ID = 3343)
9:33 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:33 AM: Starting File Sweep
9:35 AM: File Sweep Complete, Elapsed Time: 00:01:54
9:35 AM: Full Sweep has completed. Elapsed time 00:02:36
9:35 AM: Traces Found: 5
9:36 AM: Removal process initiated
9:36 AM: Quarantining All Traces: dapsol dialer
9:36 AM: Quarantining All Traces: 2o7.net cookie
9:36 AM: Quarantining All Traces: centrport net cookie
9:36 AM: Quarantining All Traces: paycounter cookie
9:36 AM: Quarantining All Traces: serving-sys cookie
9:36 AM: Removal process completed. Elapsed time 00:00:07
9:38 AM: Deletion from quarantine initiated
9:38 AM: Processing: dapsol dialer
9:38 AM: Processing: centrport net cookie
9:38 AM: Processing: 2o7.net cookie
9:38 AM: Processing: serving-sys cookie
9:38 AM: Processing: paycounter cookie
9:38 AM: Deletion from quarantine completed. Elapsed time 00:00:00
********
6:28 AM: |··· Start of Session, Friday, August 12, 2005 ···|
6:28 AM: Spy Sweeper started
6:28 AM: Messenger service has been disabled.
6:36 AM: Your spyware definitions have been updated.
9:32 AM: Program Version 4.0.4 (Build 430) Using Spyware Definitions 514
9:33 AM: |··· End of Session, Saturday, August 13, 2005 ···|

__________________________________________________________________

Logfile of HijackThis v1.99.1
Scan saved at 9:42:23 AM, on 8/13/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\unzipped\hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PRONoMgrWired] c:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://ftp.us.dell.c...es/PROFILER.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = dckar.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = dckar.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = dckar.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINNT\system32\gearsec.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

___________________________________________________________________
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP