Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

w32.desktophijack and smitfraud [CLOSED]

Started by Anxiety Reaction , Sep 06 2005 10:53 AM

  • This topic is locked This topic is locked

#16
Anxiety Reaction
Posted 16 September 2005 - 08:05 AM

Anxiety Reaction

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello Andy,

Thanks again for all your help! The downloaded version of smitRem.exe that I had with me was the wrong file size. I'm going to download it again today and carry out the fixes this weekend. I was able to view the BSOD and the stop code is 0x0000007F.

Have a Great Weekend :tazz:
  • 0

Advertisements

#17
Anxiety Reaction
Posted 20 September 2005 - 08:20 AM

Anxiety Reaction

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello Andy,

You were right. Smitfraud is not causing the problem. I followed the fix with the exception of the Panda Active Scan as I am still only able to start in safe mode. I did some checking in my event logs and I did uninstall and reinstall Norton System Works/ Norton Antivirus. This was completed on 8/30/05. On 9/4/05 @8:39pm the following were scheduled to install:

Security Update XP KB890859
Windows Media Player 9 Security Update KB885492
Windows XP KB896428
Windows XP KB893086
Cumulative Security Update for Internet Explorer 6 Service Pack 1 KB896727
Realtek AC'97 Audio
KB899588
KB888302
KB901214
KB873333
KB893066
KB890046
KB891781
Security Update Microsoft Windows KB898458
Office 2003 Service Pack 1
KB896358
KB896426
KB888113
KB873339
Outlook Express Junk mail KB902953
KB89

It was shortly after that when the error messages/warnings and information start to appear in the event logs. I think that the problem I am experiencing must lie somewhere within this update.

Anyway, here are the HJT log, smitfiles.txt and the Ewido logs. As I stated at the beginning, the boot problems continue to exist. Thank you for your help with the malware infections. Are you able to continue to assist with the boot problems? Thanks in advance for your assistance.


smitRem log file
version 2.4

by noahdfear

The current date is: Mon 09/19/2005
The current time is: 20:40:08.59

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :tazz:


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

cars
sexual life
shopping
Online Gambling folder


~~~ system32 folder ~~~

ole32vbs.exe
hhk.dll
logfiles


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

sites.ini


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! :)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:57:36 PM, 9/19/2005
+ Report-Checksum: B9824CFC

+ Scan result:

No infected objects found.


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 10:03:40 PM, on 9/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119497967250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125334874625
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#18
dsenette
Posted 20 September 2005 - 12:27 PM

dsenette

    Je suis Napoléon!

  • Community Leader
  • 26,047 posts
  • MVP
i don't know if this would help but microsoft has this as a reference for that stop code http://support.micro...kb;en-us;822789 ...

if it is due to a microsoft update...can you try removing the update in safe mode? or doing a system restore to a previous date (this will probably restore you malware as well)...also if you do a repair install of windows it would wipe all recent updates out of the system..
  • 0

#19
andydf
Posted 20 September 2005 - 12:47 PM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi Anxiety Reaction

Try removing the windows update first, if that fails then it is looking as though the system restore option is going to be the best way around this, unfortunately as dsenette has stated it will restore any nasties in the system restore files.
If you do go down that road, post a new HJT log straight after it has finished, DO NOT allow anything to update.
We may have to run through some of the fixes again, but hopefully we will get there in the end :)

Thanks dsenette :)

Andy :tazz:

Edited by andydf, 20 September 2005 - 12:48 PM.

  • 0

#20
dsenette
Posted 20 September 2005 - 12:50 PM

dsenette

    Je suis Napoléon!

  • Community Leader
  • 26,047 posts
  • MVP
the plus side andy and anxiety...is that you already know what malware will be restored....so less searching
  • 0

#21
Anxiety Reaction
Posted 20 September 2005 - 12:58 PM

Anxiety Reaction

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Thank you Andy and dsenette...

I did find a reference that after Realtek AC'97 Audio is installed there can be a crash. They suggest rolling back to the previous sound device. I will try that first if you don't mind and if that doesn't work I'll uninstall the entire update. Also while searching the event logs for what actually was installed on 9/4/05 I found the following logged on 8/29/05. I don't l=know if this is anything to worry about or not but I thought since I'm here I would go ahead and post. The logs states that a provider, HiPerfCooker_v1 has been registered in WMI namespace, Root\WMI to use the local syste, account. This account is privileged and provider may cause a sec urity violation if it does not correctly impersonate user requests
  • 0

#22
dsenette
Posted 20 September 2005 - 01:03 PM

dsenette

    Je suis Napoléon!

  • Community Leader
  • 26,047 posts
  • MVP
http://msdn.microsof...er_provider.asp <---this is from microsoft about what that hiperfcooker is.....

still looking for the implications
  • 0

#23
dsenette
Posted 20 September 2005 - 01:05 PM

dsenette

    Je suis Napoléon!

  • Community Leader
  • 26,047 posts
  • MVP
i'm not finding anything negative for the hiperf....but...i just don't like things that register as a system account....
  • 0

#24
Anxiety Reaction
Posted 20 September 2005 - 01:27 PM

Anxiety Reaction

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Andy and dsenette -

I'm thinking that I downloaded these while following the try this first guide. I had completed the Panda Active Screen and while it did not find any infections it did indicate quite a few vulnerabilities. I began to patch them one by one and then decided to see what the SP1 update would fix.
  • 0

#25
Anxiety Reaction
Posted 22 September 2005 - 09:48 AM

Anxiety Reaction

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hello Andy,

I discovered that the Realtek Ac'97 was not digitally signed and rolled it back to a previously signed version. The problem still persists. So I am going to attempt to remove the updates in safe mode (not that I can load anything but safe mode :) ). I created a TimeLine.log file following the directions on the micosoft web site as they suggested that updates be removed in a particular order to avoid operating system failures. (I have pasted a copy of this file for your reference.) Based on my problems I have a couple of questions should I infact be able to remove the updates.

1. I'm assuming that I should remove all updates dated 9/4/05 as that is when our problems began; but, should I also go back and remove all updates in 2005? As you may remember from one of my recent postings, I had installed Service Pack 2 after initially thinking that it would help take care of some of our problems (Prior to working with Geeks to Go :tazz: ). After looking at the HP site information concerning SP2 installation I realize that this is why my system restore has not been functioning. I need to install updates from HP before installing SP1 or SP2.

2. If able to remove 2005 updates and after installing HP updates should I install SP2 as you have helped remove the malware from our system?

Thanks again for your help! :)
  • 0

Advertisements

#26
andydf
Posted 22 September 2005 - 10:00 AM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi Anxiety reaction

It is recommended that SP2 only be installed on a clean PC, it has been known to cause problems otherwise. If you do manage to get things back to a stage where you can reinstall SP2, post a fresh HJT log for me to look at before you install it(just in case :) ).
Try to remove all updates after your troubles started, check your system after each removal.

Andy :tazz:
  • 0

#27
Anxiety Reaction
Posted 22 September 2005 - 05:05 PM

Anxiety Reaction

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Andy -

Great News! :) I am posting this from my home PC. yes I am able to boot into normal windows. I am still uninstalling all the SP1 and SP2 updates so that I can update the PC. But thank you for your patience. My wife was ready to purchase a new pc. I'll update you with a new HJT log after updating. Have a great evening.

:tazz: John
  • 0

#28
dsenette
Posted 23 September 2005 - 07:34 AM

dsenette

    Je suis Napoléon!

  • Community Leader
  • 26,047 posts
  • MVP
WOOOOOOOOOOOOOOHOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOO

*dsenette initiates the "shoot confetti out of anxiety reaction's cd-rom drive' protocol*
  • 0

#29
Anxiety Reaction
Posted 23 September 2005 - 08:13 AM

Anxiety Reaction

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Good Morning Andy and Dsenette

Well, I uninstalled all the updates that were installed on 9/04/05 with no problems other than not finding one of the .log files listed on my time line (896727) which I needed to uninstall before the pc would allow me to unistall KB893086 and upwards. I'll paste the TimeLine that i didn't post last time for you both to look over. When I went to uninstall the few fixes that I did on 8/29/05 there seemed to be alot of programs that could stop working if these were removed...so I left them for now until instructed otherwise. I've added SpyGuard from Javacool for a little added protection. There are some hotfixes in my add/remove folder in the control panel that have a SP2 notation with them. I'm not sure what to do with them as the computer seems to be working fine. I have pasted a new HJT log as well as the Ewido log from last night. I am open to any suggestions to improve upon what we have already accomplished. Thanks again for all your help.
This is the TimeLine
06/20/2003 09:41 PM 2,929 Q327979.log
06/20/2003 09:41 PM 3,291 q329256.log
06/20/2003 09:41 PM 4,622 Q329909.log
06/20/2003 09:41 PM 7,517 Q331958.log
06/20/2003 09:41 PM 13,190 Q810243.log
06/20/2003 09:42 PM 13,603 Q811789.log
04/05/2005 08:33 AM 196 KB842252.log
06/14/2005 09:12 PM 8,644 KB835732.log
06/23/2005 05:19 PM 923 KB835732Uninst.log
08/29/2005 10:59 AM 14,689 Q329390.log
08/29/2005 11:05 AM 29,038 Q810833.log
08/29/2005 11:10 AM 31,704 Q815021.log
08/29/2005 11:17 AM 15,026 KB823559.log
08/29/2005 11:19 AM 17,428 KB823980.log
08/29/2005 02:07 PM 5,822 KB842773.log
08/29/2005 02:08 PM 7,971 KB898461.log
08/29/2005 02:30 PM 80 q329256Uninst.log
09/04/2005 08:39 PM 16,978 KB890859.log
09/04/2005 08:40 PM 9,083 KB885492.log
09/04/2005 08:40 PM 13,750 KB896428.log
09/04/2005 08:41 PM 17,639 KB893086.log
09/04/2005 08:41 PM 20,391 KB899588.log
09/04/2005 08:41 PM 19,494 KB888302.log
09/04/2005 08:42 PM 20,306 KB901214.log
09/04/2005 08:42 PM 24,039 KB873333.log
09/04/2005 08:42 PM 24,520 KB893066.log
09/04/2005 08:42 PM 25,663 KB890046.log
09/04/2005 08:42 PM 24,682 KB891781.log
09/04/2005 08:42 PM 17,023 KB898458.log
09/04/2005 08:46 PM 27,028 KB896358.log
09/04/2005 08:46 PM 24,826 KB896426.log
09/04/2005 08:46 PM 26,965 KB888113.log
09/04/2005 08:46 PM 26,909 KB873339.log
09/04/2005 08:47 PM 28,259 KB896423.log
09/04/2005 08:47 PM 29,824 KB893756.log
09/04/2005 08:48 PM 29,993 KB899591.log
09/04/2005 08:49 PM 28,493 KB885836.log
09/04/2005 08:51 PM 32,599 KB885835.log
09/04/2005 08:52 PM 29,743 KB828741.log
09/04/2005 08:52 PM 35,098 KB896422.log
09/04/2005 08:52 PM 36,059 KB899587.log

here are the HJT and Ewido info:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:33 PM, on 9/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://dsl.sbc.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://files.member....s/sbc/yinst.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1119497967250
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125334874625
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:05:57 PM, 9/22/2005
+ Report-Checksum: 1D0365AA

+ Scan result:

C:\Documents and Settings\Owner\Cookies\owner@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup


::Report End
  • 0

#30
andydf
Posted 24 September 2005 - 06:19 AM

andydf

    Visiting Staff

  • Visiting Consultant
  • 1,660 posts
Hi John

Glad to hear things are working ok :)

Please open HJT and scan, place a check next to the entry below.

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

Then click "Fix checked"

Next search for and delete the following file.

C:\WINDOWS\ALCXMNTR.EXE

Your log looks ok apart from this, so go ahead and install SP2 after the fix.

Keep us posted on your progress

Andy :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP