Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another Winfixer [RESOLVED]


  • This topic is locked This topic is locked

#1
dmcbass

dmcbass

    Member

  • Member
  • PipPipPip
  • 109 posts
Here is my latest Hijack log

Logfile of HijackThis v1.99.1
Scan saved at 12:39:11 PM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HijackThis.exe
C:\WINDOWS\system32\ungtld.exe
C:\WINDOWS\system32\krioae.exe
C:\WINDOWS\system32\tgivuak.exe
C:\WINDOWS\system32\pgoibb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - HKCU\..\Run: [Siyg] C:\WINDOWS\system32\??erinit.exe
O4 - HKCU\..\Run: [Tosu] C:\Program Files\niut\oawo.exe
O4 - Startup: Quicken Scheduled Updates.lnk = C:\Program Files\QUICKENW\bagent.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.clarkcolo...larkActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-18.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1104151167967
O20 - Winlogon Notify: Group Policy - C:\WINDOWS\system32\ckusapi.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Ewido is finding infected objects constantly.
Thanks in advance
  • 0

Advertisements


#2
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hello and welcome!

Can you run the following online scan and post it's results here;
Panda Activescan

- Rawe :tazz:
  • 0

#3
dmcbass

dmcbass

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Sorry it took so long


Incident Status Location

Adware:Adware/Look2Me No disinfected C:\WINDOWS\system32\guard.tmp
Adware:adware/purityscan No disinfected C:\WINDOWS\system32\wnscpcc.exe
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\system32\exclean.exe
Adware:adware/aurora No disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:adware/transponder No disinfected C:\WINDOWS\abiuninst.htm
Adware:Adware/Imibar No disinfected C:\WINDOWS\TTEXT.DLL
Adware:adware/bookedspace No disinfected C:\WINDOWS\CFGMGR52.INI
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DEUBH23J\!update-2324[1].0000
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\DEUBH23J\!update-2314[1].0000
Possible Virus. No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VV9HDS4A\!update-2384[1].0000
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VV9HDS4A\!update-2364[1].0000
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\OJELGN6V\AppWrap[1].exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\My Documents\VundoFix\VundoFix.zip[process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\My Documents\VundoFix\VundoFix\VundoFix\process.exe
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll
Adware:Adware/PurityScan No disinfected C:\Program Files\NIUT\OAWO.EXE
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/AdDestroyer No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP234\A0015458.EXE
Adware:Adware/VirtualBouncer No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP234\A0015459.EXE
Adware:Adware/AdDestroyer No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP234\A0015460.EXE
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP235\A0015498.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP235\A0016493.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016800.dll
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016801.dll
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016802.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016813.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016824.exe
Adware:Adware/Imibar No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP239\A0016916.DLL
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP239\A0016922.dll
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP239\A0016940.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP240\A0017378.exe
Spyware:Spyware/BargainBuddy No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0017514.exe
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0017521.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0017538.DLL
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0018541.dll
Spyware:Spyware/BargainBuddy No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP233\A0015431.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP233\A0015448.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP233\A0015449.exe
Adware:Adware/Imibar No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP238\A0016858.dll
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP238\A0016864.dll
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP238\A0016882.exe
Spyware:Spyware/BargainBuddy No disinfected C:\temp\bb_click_wider.swf
Spyware:Spyware/BargainBuddy No disinfected C:\temp\bb_auto_wider.swf
Spyware:Spyware/BargainBuddy No disinfected C:\temp\bb_welcome.html
Spyware:Spyware/BargainBuddy No disinfected C:\temp\bb_welcome1.swf
Spyware:Spyware/BargainBuddy No disinfected C:\temp\icon.gif
Spyware:Spyware/BargainBuddy No disinfected C:\temp\logo.gif
  • 0

#4
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Close any programs you have open since this step requires a reboot.

Please download the l2mfix from one of the locations below;

http://www.atribune....oads/l2mfix.exe

http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double-click l2mfix.exe

Click the Install - button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

From the l2mfix folder on your desktop, double-click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Note; if you recieve any error messages for CMD or Autoexec.bat>> select option 5 from the l2mfix and once at the site, click on the link that apply to your operating system!

Double-click the file it downloads and extract the files to its predetermined System32 folder!


- Rawe :tazz:
  • 0

#5
dmcbass

dmcbass

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
L2Mfix 1.03b

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Administrator\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Administrator\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1452 'explorer.exe'
Killing PID 1452 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1536 'rundll32.exe'
Killing PID 1992 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\ctmpstui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ctmpstui.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\semsg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\semsg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ckusapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ckusapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\ctmpstui.dll
Successfully Deleted: C:\WINDOWS\system32\ctmpstui.dll
deleting: C:\WINDOWS\system32\ctmpstui.dll
Successfully Deleted: C:\WINDOWS\system32\ctmpstui.dll
deleting: C:\WINDOWS\system32\semsg.dll
Successfully Deleted: C:\WINDOWS\system32\semsg.dll
deleting: C:\WINDOWS\system32\semsg.dll
Successfully Deleted: C:\WINDOWS\system32\semsg.dll
deleting: C:\WINDOWS\system32\ckusapi.dll
Successfully Deleted: C:\WINDOWS\system32\ckusapi.dll
deleting: C:\WINDOWS\system32\ckusapi.dll
Successfully Deleted: C:\WINDOWS\system32\ckusapi.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Desktop.ini sucessfully removed


Zipping up files for submission:
adding: ctmpstui.dll (deflated 48%)
adding: semsg.dll (deflated 48%)
adding: ckusapi.dll (deflated 48%)
adding: guard.tmp (deflated 48%)
adding: echo.reg (deflated 10%)
adding: clear.reg (deflated 22%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 50%)
adding: direct.txt (stored 0%)
adding: lo2.txt (deflated 78%)
adding: test2.txt (deflated 4%)
adding: test3.txt (deflated 4%)
adding: test5.txt (deflated 4%)
adding: test.txt (deflated 78%)
adding: xfind.txt (deflated 74%)
adding: backregs/notibac.reg (deflated 87%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/AB949AE1-D970-4524-9BEF-DF07A55F7693.reg (deflated 70%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: ctmpstui.dll
deleting local copy: ctmpstui.dll
deleting local copy: semsg.dll
deleting local copy: semsg.dll
deleting local copy: ckusapi.dll
deleting local copy: ckusapi.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\ctmpstui.dll
C:\WINDOWS\system32\ctmpstui.dll
C:\WINDOWS\system32\semsg.dll
C:\WINDOWS\system32\semsg.dll
C:\WINDOWS\system32\ckusapi.dll
C:\WINDOWS\system32\ckusapi.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AB949AE1-D970-4524-9BEF-DF07A55F7693}"=-
[-HKEY_CLASSES_ROOT\CLSID\{AB949AE1-D970-4524-9BEF-DF07A55F7693}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************


Logfile of HijackThis v1.99.1
Scan saved at 2:38:08 PM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HijackThis.exe

O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Please print these instructions out, or write them down, as you can't read them during the fix. Be sure to ask any questions before proceeding the fix. (Might be easier if you first read through the instructions, then ask, then follow them.)

Ok, do this;

Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; System Startup Service (SvcProc)

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "delete an NT service"
  • Copy and paste this in: SvcProc
  • Click "ok", then reboot
When finished, do the following;

  • Download DSRFIX from HERE onto your Desktop.
  • Unzip and EXTRACT the files to your Desktop.
  • The program creates and names the new folder to house the files.
  • DO NOT RUN IT YET
  • Download Cleanup from Here (Alternate site if the above is not working Go Here)
  • A window will open and choose SAVE, then DESKTOP as the destination.
  • On your Desktop, click on Cleanup40.exe icon.
  • Then, click RUN and place a checkmark beside "I Agree"
  • Then click NEXT followed by START and OK.
  • A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  • Click OK
  • DO NOT RUN IT YET
  • CLOSE INTERNET EXPLORER, if it is open
  • Open the folder dsrfix
  • Double click on the dsrfix batch file( the one with the little gear in it )
  • Once dsrfix has completed it will close on its own
  • Run Cleanup
  • Click on the "Cleanup" button and let it run.
  • Once its done, close the program.
  • REBOOT your system.
  • Please restart HJT and post back a fresh HJT log for review.
//credit Atribune

- Rawe :tazz:
  • 0

#7
dmcbass

dmcbass

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Logfile of HijackThis v1.99.1
Scan saved at 3:02:07 PM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\WINDOWS\System32\imapi.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5

"LPT1:" /M "Stylus C60"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://www.pandasoft...free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton

AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security

Center\SymWSC.exe
  • 0

#8
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Now do this;

Click Start => Run => and type in;

services.msc

Click "OK".

In the services window find service; Command Service (cmdService)

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then "Ok". Exit the Services utility.
  • Open HiJackThis
  • Click on the configure button on the bottom right
  • Click on the tab "Misc Tools"
  • Click on "delete an NT service"
  • Copy and paste this in: cmdService
  • Click "ok", then reboot
After the reboot, delete this folder;

C:\WINDOWS\QWRtaW5pc3RyYXRvcgAA\

Empty recycle bin.

Post a fresh HiJackThis log. BUT just before pasting from Notepad, can you choose "Format" and unselect "WordWrap". Your log would be easier to read like that.

- Rawe :tazz:
  • 0

#9
dmcbass

dmcbass

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
The buttons under the Service Status are grayed out and cannot be pressed.
So I cannot stop the service

Edited by dmcbass, 15 August 2005 - 01:22 PM.

  • 0

#10
dmcbass

dmcbass

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
I followed the instructions and this is the latest log file.

Logfile of HijackThis v1.99.1
Scan saved at 3:30:40 PM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#11
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Ok, can you just post a fresh HiJackThis log and make sure WordWrap isn't selected on notepad.
  • 0

#12
dmcbass

dmcbass

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
How about this

Logfile of HijackThis v1.99.1
Scan saved at 3:36:41 PM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#13
Rawe

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Go to -> Start -> Control Panel -> Add/Remove programs and uninstall;

NaviSearch
VBouncer
(might be VirtualBouncer)

If present. When finished,

delete the following folders;

C:\Program Files\NaviSearch\
C:\Program Files\VBouncer\


Empty recycle bin.

Fix this entry in HiJackThis (By running a scan, close any other open windows than HJT and click "Fix Checked);

O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe

Then reboot. Post a new Panda log along with a fresh HijackThis log.

- Rawe :tazz:
  • 0

#14
dmcbass

dmcbass

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Incident Status Location

Adware:adware/purityscan No disinfected C:\WINDOWS\system32\wnscpcc.exe
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\system32\exclean.exe
Adware:adware/aurora No disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:adware/transponder No disinfected C:\WINDOWS\abiuninst.htm
Adware:Adware/Imibar No disinfected C:\WINDOWS\TTEXT.DLL
Adware:adware/bookedspace No disinfected C:\WINDOWS\CFGMGR52.INI
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\My Documents\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\My Documents\VundoFix\VundoFix.zip[process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\My Documents\VundoFix\VundoFix\VundoFix\process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\Process.exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\backup.zip[ctmpstui.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\backup.zip[semsg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\backup.zip[ckusapi.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\backup.zip[guard.tmp]
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/AdDestroyer No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP234\A0015458.EXE
Adware:Adware/VirtualBouncer No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP234\A0015459.EXE
Adware:Adware/AdDestroyer No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP234\A0015460.EXE
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP235\A0015498.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP235\A0016493.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016800.dll
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016801.dll
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016802.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016813.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016824.exe
Adware:Adware/Imibar No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP239\A0016916.DLL
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP239\A0016922.dll
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP239\A0016940.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP240\A0017378.exe
Spyware:Spyware/BargainBuddy No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0017514.exe
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0017521.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0017538.DLL
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0018541.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP242\A0018555.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP242\A0018556.DLL
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP242\A0018561.exe
Spyware:Spyware/BargainBuddy No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP233\A0015431.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP233\A0015448.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP233\A0015449.exe
Adware:Adware/Imibar No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP238\A0016858.dll
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP238\A0016864.dll
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP238\A0016882.exe
Adware:Adware/PurityScan No disinfected C:\Recycled\Dc3\OAWO.EXE
Logfile of HijackThis v1.99.1
Scan saved at 4:22:58 PM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#15
dmcbass

dmcbass

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 109 posts
Incident Status Location

Adware:adware/purityscan No disinfected C:\WINDOWS\system32\wnscpcc.exe
Spyware:spyware/bargainbuddy No disinfected C:\WINDOWS\system32\exclean.exe
Adware:adware/aurora No disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Adware:adware/transponder No disinfected C:\WINDOWS\abiuninst.htm
Adware:Adware/Imibar No disinfected C:\WINDOWS\TTEXT.DLL
Adware:adware/bookedspace No disinfected C:\WINDOWS\CFGMGR52.INI
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\My Documents\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\My Documents\VundoFix\VundoFix.zip[process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\My Documents\VundoFix\VundoFix\VundoFix\process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\Process.exe
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\backup.zip[ctmpstui.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\backup.zip[semsg.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\backup.zip[ckusapi.dll]
Adware:Adware/Look2Me No disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\backup.zip[guard.tmp]
Spyware:spyware/surfsidekick No disinfected C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/AdDestroyer No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP234\A0015458.EXE
Adware:Adware/VirtualBouncer No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP234\A0015459.EXE
Adware:Adware/AdDestroyer No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP234\A0015460.EXE
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP235\A0015498.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP235\A0016493.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016800.dll
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016801.dll
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016802.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016813.exe
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP237\A0016824.exe
Adware:Adware/Imibar No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP239\A0016916.DLL
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP239\A0016922.dll
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP239\A0016940.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP240\A0017378.exe
Spyware:Spyware/BargainBuddy No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0017514.exe
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0017521.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0017538.DLL
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP241\A0018541.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP242\A0018555.dll
Adware:Adware/Look2Me No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP242\A0018556.DLL
Hacktool:Hacktool/Processor No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP242\A0018561.exe
Spyware:Spyware/BargainBuddy No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP233\A0015431.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP233\A0015448.exe
Adware:Adware/PurityScan No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP233\A0015449.exe
Adware:Adware/Imibar No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP238\A0016858.dll
Adware:Adware/Apropos No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP238\A0016864.dll
Possible Virus. No disinfected C:\System Volume Information\_restore{510E588B-BF76-4EE5-B474-049B9C53332D}\RP238\A0016882.exe
Adware:Adware/PurityScan No disinfected C:\Recycled\Dc3\OAWO.EXE

Logfile of HijackThis v1.99.1
Scan saved at 5:49:22 PM, on 8/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis\HijackThis.exe

O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\Roxio\Roxio DVDMax Player\PDVDServ.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_A10IC2.EXE /P23 "EPSON Stylus C60 Series" /O5 "LPT1:" /M "Stylus C60"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP