philroswit
Ant Virus Gold (Malware Free)
Started by
philroswit
, Sep 14 2005 09:31 PM
#1
Posted 14 September 2005 - 09:31 PM
philroswit
#2
Posted 14 September 2005 - 09:33 PM
Hi philroswit and welcome to GeeksToGo! My name is Excal and I will be helping you.
Go ahead and post a HiJackthis log and let me take a look
Excal
Go ahead and post a HiJackthis log and let me take a look
Excal
#3
Posted 14 September 2005 - 09:34 PM
I didn't include the hjt log. Here it is
Logfile of HijackThis v1.99.1
Scan saved at 4:05:43 PM, on 7/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\pbfpi.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1032
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D9FCBF10-61A3-15CD-DEA8-8B03652CD07D} - C:\WINNT\system32\crar.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [atleh.exe] C:\WINNT\atleh.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Traceless] C:\Program Files\Traceless\launch.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [Utxhf] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Spdqa] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Oala] C:\Program Files\oirl\nara.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\InterMute\AdSubtract\AdSub.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\croj32.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LXBTCustomerConnect - Lexmark International, Inc. - C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTserv.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINNT\system32\lxbtcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Logfile of HijackThis v1.99.1
Scan saved at 4:05:43 PM, on 7/24/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\Explorer.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\pbfpi.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1032
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D9FCBF10-61A3-15CD-DEA8-8B03652CD07D} - C:\WINNT\system32\crar.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [atleh.exe] C:\WINNT\atleh.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Traceless] C:\Program Files\Traceless\launch.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - HKCU\..\Run: [Utxhf] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Spdqa] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Oala] C:\Program Files\oirl\nara.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - Startup: AdSubtract.lnk = C:\Program Files\InterMute\AdSubtract\AdSub.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla...ller/dwnldr.cab
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\croj32.exe (file missing)
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LXBTCustomerConnect - Lexmark International, Inc. - C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTserv.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINNT\system32\lxbtcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
#4
Posted 14 September 2005 - 09:53 PM
You still are very much infected. Lets see if we can get u cleaned up.
Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.
Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.
DOWNLOAD PROGRAMS
Please download and install these programs - don't run them yet!!
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for updates. Please don't run it yet.
Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.
Download and unzip HSfix to your desktop :
HSRegFix
Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
Download CWShredder here to its own folder.
Update CWShredder
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Download the Host Here
Please do not use program yet
THE FIX
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
1. Click this link to be sure you can view hidden files.
2. Ensure you are NOT connected to the internet.
3. Open up the Host program.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
5. Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.
6. Close all browsers, windows and unneeded programs.
7. Open HiJack and do a scan.
8. Put a Check next to the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\pbfpi.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1032
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D9FCBF10-61A3-15CD-DEA8-8B03652CD07D} - C:\WINNT\system32\crar.dll (file missing)
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [atleh.exe] C:\WINNT\atleh.exe
O4 - HKCU\..\Run: [Utxhf] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Spdqa] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Oala] C:\Program Files\oirl\nara.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\croj32.exe (file missing)
9. click the Fix Checked box
10. Please remove the following folders using Windows Explorer (if present):
C:\Program Files\oirl
11. Please remove just the files from the following paths using Windows Explorer (if present):
C:\WINNT\system32\hookdump.exe
C:\WINNT\atleh.exe
C:\WINNT\system32\croj32.exe
12. Please run about:buster by RubbeRDuckY:
14. Run the program CleanUp! (do not reboot yet)
15. Double click on the HSFix and when asked to merge say yes.
16. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.
17. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
18. Open Ad-aware and do a full scan. Remove all it finds.
19. Now open and run Ewido:
20. Delete Bad Service:
22. Please post an Active scan log, Ewido log, Smitrem.txt and a fresh HiJackThis log. Let me know how your computer is running.
Copy everything inside the quote box below (starting with dir) and paste it into notepad. Go up to "File > Save As" and click the drop-down box to change the "Save As Type" to "All Files". Save it as findfile.bat on your Desktop.
dir C:\WINNT\system32\??plorer.exe /a h > files.txt
notepad files.txt
Locate findfile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the contents of that Notepad here along with a new HiJackThis log.
DOWNLOAD PROGRAMS
Please download and install these programs - don't run them yet!!
Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.
Please download and unzip
About:Buster to a folder. Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for updates. Please don't run it yet.
Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.
Download and unzip HSfix to your desktop :
HSRegFix
Download and install CleanUp! Here*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.
Download CWShredder here to its own folder.
Update CWShredder
- Open CWShredder and click I AGREE
- Click Check For Update
- Close CWShredder
If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!
Download the Host Here
Please do not use program yet
THE FIX
Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.
1. Click this link to be sure you can view hidden files.
2. Ensure you are NOT connected to the internet.
3. Open up the Host program.
- Make sure that the "make hosts writable?" button in the upper right corner is enabled.
- Click back up Host files
- then click Restore orginal host files
- close program
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
5. Go to Start->Run and type in services.msc and hit OK. Then look for Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) and double click on it. Click on the Stop button and under Startup type, choose Disabled.
6. Close all browsers, windows and unneeded programs.
7. Open HiJack and do a scan.
8. Put a Check next to the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\pbfpi.dll/sp.html#55135
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\pbfpi.dll/sp.html#55135
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1032
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {D9FCBF10-61A3-15CD-DEA8-8B03652CD07D} - C:\WINNT\system32\crar.dll (file missing)
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [atleh.exe] C:\WINNT\atleh.exe
O4 - HKCU\..\Run: [Utxhf] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Spdqa] C:\WINNT\system32\??plorer.exe
O4 - HKCU\..\Run: [Oala] C:\Program Files\oirl\nara.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINNT\system32\hookdump.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINNT\system32\croj32.exe (file missing)
9. click the Fix Checked box
10. Please remove the following folders using Windows Explorer (if present):
C:\Program Files\oirl
11. Please remove just the files from the following paths using Windows Explorer (if present):
C:\WINNT\system32\hookdump.exe
C:\WINNT\atleh.exe
C:\WINNT\system32\croj32.exe
12. Please run about:buster by RubbeRDuckY:
- Click Begin Removal.
- It will begin to check your computer for malicious files.
- AboutBuster will finish and open a new page. Follow the instructions for protection on that page.
- Shut down AboutBuster. A log should have been created.Please Save this log and copy it in your next post.
14. Run the program CleanUp! (do not reboot yet)
15. Double click on the HSFix and when asked to merge say yes.
16. Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about. Reboot your computer into normal windows.
17. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
18. Open Ad-aware and do a full scan. Remove all it finds.
19. Now open and run Ewido:
- Click on scanner
- Click Complete System Scan and the scan will begin.
- During the scan when it ask if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK
- When the scan is finished, look at the bottom of the screen and click the Save report button.
- Save the report to your desktop
20. Delete Bad Service:
- Open HiJackThis
- Click on the configure button on the bottom right
- Click on the tab "Misc Tools"
- click on "delete an NT service"
- Copy and paste this in the box: 11Fßä#·ºÄÖ`I (there is a space before the number one, make sure you put it in the box that way )
- Click "ok", then reboot
22. Please post an Active scan log, Ewido log, Smitrem.txt and a fresh HiJackThis log. Let me know how your computer is running.
#5
Posted 17 September 2005 - 10:09 PM
This is for EXCAL I cannot find where or how to reply to my first post. Any advise will be appreciated. Anyway, Part of the items you said to deal with were not on my computer. I don't know if this is normal or not. For one, the Network Security Service was not on my computer. Also, in the Hijack log only six of the items were in my log (out of 19). None of the program files to be deleted were there. I could not get the smitrem tool to work at all. The bad service you asked to be deleted was not there either. Finally, the ActiveScan program only works on IE and the virus disabled that so I am using Mozilla. It would not run on this.Anyway, here are the logs I have:
Volume in drive C has no label.Volume Serial Number is 60C6-0D04Directory of C:\WINNT\system32Directory of C:\Documents and Settings\Administrator\DesktopLogfile of HijackThis v1.99.1Scan saved at 9:22:23 PM, on 9/16/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\userinit.exeC:\WINNT\Explorer.EXEC:\Documents and Settings\Administrator\Desktop\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pbfpi.dll/sp.html#55135R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1034O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {D9FCBF10-61A3-15CD-DEA8-8B03652CD07D} - (no file)O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINNT\system32\adsubtb.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /sO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exeO4 - HKCU\..\Run: [Traceless] C:\Program Files\Traceless\launch.exeO4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"O4 - HKCU\..\Run: [Utxhf] C:\WINNT\system32\??plorer.exeO4 - HKCU\..\Run: [Spdqa] C:\WINNT\system32\??plorer.exeO4 - HKCU\..\Run: [Oala] C:\Program Files\oirl\nara.exeO4 - Startup: AdSubtract.lnk = C:\AdSub.exeO4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXEO4 - Startup: PowerReg Scheduler.exeO4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exeO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exeO4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: AdSubtract: Bypass Site - res://\AdSub.exe/360O8 - Extra context menu item: AdSubtract: Cloak Image - res://\AdSub.exe/361O8 - Extra context menu item: AdSubtract: Report Site - res://\AdSub.exe/359O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...5/asinst.cabO16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...r/dwnldr.cabO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: LXBTCustomerConnect - Lexmark International, Inc. - C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTserv.exeO23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINNT\system32\lxbtcoms.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXEAboutBuster 5.0 reference file 28Scan started on [9/16/2005] at [9:38:49 PM]------------------------------------------------Removed Stream! C:\WINNT\ecfg.bin:ldlsqaRemoved Stream! C:\WINNT\explorer.scf:hbibnRemoved Stream! C:\WINNT\Greenstone.bmp:rrvskRemoved Stream! C:\WINNT\KB835732.log:pqulrRemoved Stream! C:\WINNT\welcome.ini:tjfewt------------------------------------------------No Files Found!------------------------------------------------Scan was COMPLETED SUCCESSFULLY at 9:38:50 PM---------------------------------------------------------ewido security suite - Scan report---------------------------------------------------------+ Created on: 11:04:25 PM, 9/16/2005+ Report-Checksum: 94E9FA22+ Scan result:HKLM\SOFTWARE\Classes\CLSID\{F14AABDD-0232-4e5a-9B52-4178AC0A62B5} -> Spyware.AdSubtract : Cleaned with backup::Report EndLogfile of HijackThis v1.99.1Scan saved at 11:49:26 PM, on 9/16/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINNT\system32\nvsvc32.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ScsiAccess.EXEC:\WINNT\system32\stisvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\Lexmark 5200 series\lxbtbmgr.exeC:\Program Files\Lexmark 5200 series\lxbtbmon.exeC:\PROGRA~1\NORTON~1\navapw32.exeC:\Program Files\FinePixViewer\QuickDCF.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exeC:\Program Files\SEC\Natural Color\NaturalColorLoad.exeC:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEC:\Program Files\Traceless\tray.exeC:\WINNT\system32\ntvdm.exeC:\WINNT\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Administrator\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1034O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: (no name) - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - (no file)O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /sO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exeO4 - HKCU\..\Run: [Traceless] C:\Program Files\Traceless\launch.exeO4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"O4 - Startup: AdSubtract.lnk = C:\AdSub.exeO4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXEO4 - Startup: PowerReg Scheduler.exeO4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exeO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exeO4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exeO4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: AdSubtract: Bypass Site - res://\AdSub.exe/360O8 - Extra context menu item: AdSubtract: Cloak Image - res://\AdSub.exe/361O8 - Extra context menu item: AdSubtract: Report Site - res://\AdSub.exe/359O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...5/asinst.cabO16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...r/dwnldr.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{D952FE31-D427-4D11-A4F0-7767AE52E180}: NameServer = 204.212.40.2O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: LXBTCustomerConnect - Lexmark International, Inc. - C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTserv.exeO23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINNT\system32\lxbtcoms.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
After all this, my computer still boots slow. It takes 68 seconds from turn on to my background pic to appear then it takes another 90 seconds for my icons to show up.After it starts up, it works ok, but it is still slower than it used to be. Any thoughts??Thank you so much for your efforts.philroswit
« Next Oldest · Malware Removal - HiJackThis Logs Go Here · Next Newest »
1 User(s) are reading this t
Volume in drive C has no label.Volume Serial Number is 60C6-0D04Directory of C:\WINNT\system32Directory of C:\Documents and Settings\Administrator\DesktopLogfile of HijackThis v1.99.1Scan saved at 9:22:23 PM, on 9/16/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\userinit.exeC:\WINNT\Explorer.EXEC:\Documents and Settings\Administrator\Desktop\HijackThis.exeR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\pbfpi.dll/sp.html#55135R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1034O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO2 - BHO: (no name) - {D9FCBF10-61A3-15CD-DEA8-8B03652CD07D} - (no file)O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: AdSubtract Toolbar - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - C:\WINNT\system32\adsubtb.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /sO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exeO4 - HKCU\..\Run: [Traceless] C:\Program Files\Traceless\launch.exeO4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"O4 - HKCU\..\Run: [Utxhf] C:\WINNT\system32\??plorer.exeO4 - HKCU\..\Run: [Spdqa] C:\WINNT\system32\??plorer.exeO4 - HKCU\..\Run: [Oala] C:\Program Files\oirl\nara.exeO4 - Startup: AdSubtract.lnk = C:\AdSub.exeO4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXEO4 - Startup: PowerReg Scheduler.exeO4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exeO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exeO4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: AdSubtract: Bypass Site - res://\AdSub.exe/360O8 - Extra context menu item: AdSubtract: Cloak Image - res://\AdSub.exe/361O8 - Extra context menu item: AdSubtract: Report Site - res://\AdSub.exe/359O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htmO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...5/asinst.cabO16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...r/dwnldr.cabO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: LXBTCustomerConnect - Lexmark International, Inc. - C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTserv.exeO23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINNT\system32\lxbtcoms.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXEAboutBuster 5.0 reference file 28Scan started on [9/16/2005] at [9:38:49 PM]------------------------------------------------Removed Stream! C:\WINNT\ecfg.bin:ldlsqaRemoved Stream! C:\WINNT\explorer.scf:hbibnRemoved Stream! C:\WINNT\Greenstone.bmp:rrvskRemoved Stream! C:\WINNT\KB835732.log:pqulrRemoved Stream! C:\WINNT\welcome.ini:tjfewt------------------------------------------------No Files Found!------------------------------------------------Scan was COMPLETED SUCCESSFULLY at 9:38:50 PM---------------------------------------------------------ewido security suite - Scan report---------------------------------------------------------+ Created on: 11:04:25 PM, 9/16/2005+ Report-Checksum: 94E9FA22+ Scan result:HKLM\SOFTWARE\Classes\CLSID\{F14AABDD-0232-4e5a-9B52-4178AC0A62B5} -> Spyware.AdSubtract : Cleaned with backup::Report EndLogfile of HijackThis v1.99.1Scan saved at 11:49:26 PM, on 9/16/2005Platform: Windows 2000 SP4 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\ewido\security suite\ewidoctrl.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\WINNT\system32\nvsvc32.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\WINNT\system32\ScsiAccess.EXEC:\WINNT\system32\stisvc.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\Program Files\Lexmark 5200 series\lxbtbmgr.exeC:\Program Files\Lexmark 5200 series\lxbtbmon.exeC:\PROGRA~1\NORTON~1\navapw32.exeC:\Program Files\FinePixViewer\QuickDCF.exeC:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeC:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exeC:\Program Files\SEC\Natural Color\NaturalColorLoad.exeC:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEC:\Program Files\Traceless\tray.exeC:\WINNT\system32\ntvdm.exeC:\WINNT\system32\wuauclt.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\Documents and Settings\Administrator\Desktop\HijackThis.exeR1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1034O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dllO3 - Toolbar: (no name) - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - (no file)O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartupO4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUNO4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /sO4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exeO4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exeO4 - HKCU\..\Run: [Traceless] C:\Program Files\Traceless\launch.exeO4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"O4 - Startup: AdSubtract.lnk = C:\AdSub.exeO4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXEO4 - Startup: PowerReg Scheduler.exeO4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exeO4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exeO4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exeO4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exeO4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXEO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: AdSubtract: Bypass Site - res://\AdSub.exe/360O8 - Extra context menu item: AdSubtract: Cloak Image - res://\AdSub.exe/361O8 - Extra context menu item: AdSubtract: Report Site - res://\AdSub.exe/359O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dllO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...5/asinst.cabO16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...r/dwnldr.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{D952FE31-D427-4D11-A4F0-7767AE52E180}: NameServer = 204.212.40.2O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exeO23 - Service: LXBTCustomerConnect - Lexmark International, Inc. - C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTserv.exeO23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINNT\system32\lxbtcoms.exeO23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exeO23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
After all this, my computer still boots slow. It takes 68 seconds from turn on to my background pic to appear then it takes another 90 seconds for my icons to show up.After it starts up, it works ok, but it is still slower than it used to be. Any thoughts??Thank you so much for your efforts.philroswit
« Next Oldest · Malware Removal - HiJackThis Logs Go Here · Next Newest »
1 User(s) are reading this t
#6
Posted 17 September 2005 - 10:16 PM
not sure what happened to your log, but I really need you to post it again, as I can not read it the way you posted it.
Excal
Excal
#7
Posted 18 September 2005 - 10:00 AM
I am sorry about that. I could not figure out how to post it so I posted it by itself on a new post. Then I figured out how to do it and I cut and pasted it and that is how it came out. I apologize for not knowing what I am doing. I will try again.
Volume in drive C has no label.
Volume Serial Number is 60C6-0D04
Directory of C:\WINNT\system32
Directory of C:\Documents and Settings\Administrator\Desktop
AboutBuster 5.0 reference file 28
Scan started on [9/16/2005] at [9:38:49 PM]
------------------------------------------------
Removed Stream! C:\WINNT\ecfg.bin:ldlsqa
Removed Stream! C:\WINNT\explorer.scf:hbibn
Removed Stream! C:\WINNT\Greenstone.bmp:rrvsk
Removed Stream! C:\WINNT\KB835732.log:pqulr
Removed Stream! C:\WINNT\welcome.ini:tjfewt
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:38:50 PM
Logfile of HijackThis v1.99.1
Scan saved at 11:49:26 PM, on 9/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Traceless\tray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1034
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Traceless] C:\Program Files\Traceless\launch.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: AdSubtract.lnk = C:\AdSub.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: AdSubtract: Bypass Site - res://\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://\AdSub.exe/359
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...ller/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D952FE31-D427-4D11-A4F0-7767AE52E180}: NameServer = 204.212.40.2
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LXBTCustomerConnect - Lexmark International, Inc. - C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTserv.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINNT\system32\lxbtcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:04:25 PM, 9/16/2005
+ Report-Checksum: 94E9FA22
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{F14AABDD-0232-4e5a-9B52-4178AC0A62B5} -> Spyware.AdSubtract : Cleaned with backup
::Report End
I think this is everything you requested. As I stated in my earlier post, It takes 68 seconds from turnon to get my backgroundimage, then another 90 seconds to get my icons to show. Also, it still goes to IE automatically on boot up instead of staying on my desktop.
Again, I am sorry for the confusion. Any help is greatly appreciated!
Thanks, philroswit
Volume in drive C has no label.
Volume Serial Number is 60C6-0D04
Directory of C:\WINNT\system32
Directory of C:\Documents and Settings\Administrator\Desktop
AboutBuster 5.0 reference file 28
Scan started on [9/16/2005] at [9:38:49 PM]
------------------------------------------------
Removed Stream! C:\WINNT\ecfg.bin:ldlsqa
Removed Stream! C:\WINNT\explorer.scf:hbibn
Removed Stream! C:\WINNT\Greenstone.bmp:rrvsk
Removed Stream! C:\WINNT\KB835732.log:pqulr
Removed Stream! C:\WINNT\welcome.ini:tjfewt
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 9:38:50 PM
Logfile of HijackThis v1.99.1
Scan saved at 11:49:26 PM, on 9/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ScsiAccess.EXE
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe
C:\Program Files\Lexmark 5200 series\lxbtbmon.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Traceless\tray.exe
C:\WINNT\system32\ntvdm.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:1034
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark 5200 series] "C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Traceless] C:\Program Files\Traceless\launch.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: AdSubtract.lnk = C:\AdSub.exe
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: NaturalColorLoad.lnk = C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: AdSubtract: Bypass Site - res://\AdSub.exe/360
O8 - Extra context menu item: AdSubtract: Cloak Image - res://\AdSub.exe/361
O8 - Extra context menu item: AdSubtract: Report Site - res://\AdSub.exe/359
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} - http://www.stopzilla...ller/dwnldr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D952FE31-D427-4D11-A4F0-7767AE52E180}: NameServer = 204.212.40.2
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: LXBTCustomerConnect - Lexmark International, Inc. - C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTserv.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINNT\system32\lxbtcoms.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\system32\ScsiAccess.EXE
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:04:25 PM, 9/16/2005
+ Report-Checksum: 94E9FA22
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{F14AABDD-0232-4e5a-9B52-4178AC0A62B5} -> Spyware.AdSubtract : Cleaned with backup
::Report End
I think this is everything you requested. As I stated in my earlier post, It takes 68 seconds from turnon to get my backgroundimage, then another 90 seconds to get my icons to show. Also, it still goes to IE automatically on boot up instead of staying on my desktop.
Again, I am sorry for the confusion. Any help is greatly appreciated!
Thanks, philroswit
#8
Posted 18 September 2005 - 12:56 PM
Here are some of the things you don't need on startup. This only takes them out of startup, does not delete them.
open Hijackthis and do a scan. Please check off the following items:
O3 - Toolbar: (no name) - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - (no file)
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [Traceless] C:\Program Files\Traceless\launch.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
click FIX CHECKED then close Hijackthis
reboot and let me know if there is any change
open Hijackthis and do a scan. Please check off the following items:
O3 - Toolbar: (no name) - {F14AABDD-0232-4e5a-9B52-4178AC0A62B5} - (no file)
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [Traceless] C:\Program Files\Traceless\launch.exe
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe"
O4 - Startup: Event Reminder.lnk = C:\pmw\PMREMIND.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
click FIX CHECKED then close Hijackthis
reboot and let me know if there is any change
#9
Posted 18 September 2005 - 02:33 PM
Dear EXCAL: I removed the suggested items and rebooted to none effect. During the earlier process, could I have not done something right due to not being able to find all the items you said needed attending to? Were all the items you suggested I remove supposed to be there?
Thank You
Philroswit
Thank You
Philroswit
#10
Posted 18 September 2005 - 03:17 PM
Your log looks good, so everything that we identifyed earlier, has been taken care of. Those entries we just took out, are entries that are legit, but not needed on startup.
Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
don't do anything with it yet.
boot into safe mode
Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
reboot
Please post the winpfind log
Silent Runners:
Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder.
don't do anything with it yet.
boot into safe mode
Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
reboot
Please post the winpfind log
Silent Runners:
- Please click this link to download Silent Runners.
- Save it to the desktop.
- Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
- You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
- Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.
- NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
For some time it will look like nothing is happening. Just keep waiting.
- Once it's done it will create a log. A window will come up telling you when it's saved. Please post that log here
#11
Posted 18 September 2005 - 04:21 PM
Dear EXCAL:
When I clicked on the Silent Runner link, all I got was a L O N G text message. There was no where to download it. I cannot find it anywhere else on your web site. Can you check this and let me know where to download it from?
Thanks, philroswit
When I clicked on the Silent Runner link, all I got was a L O N G text message. There was no where to download it. I cannot find it anywhere else on your web site. Can you check this and let me know where to download it from?
Thanks, philroswit
#12
Posted 18 September 2005 - 06:58 PM
Copy the link location and open it in internet explorer.
Excal
Excal
#13
Posted 19 September 2005 - 07:20 PM
Dear EXCAL:
My internet explorer does not work. I have been using Mozilla. I did find Silent Runner's web site and tried to download it there, but zI got the same thing, just a long text message type document. no program to run. Any suggestions?
Thanks,
philroswit
My internet explorer does not work. I have been using Mozilla. I did find Silent Runner's web site and tried to download it there, but zI got the same thing, just a long text message type document. no program to run. Any suggestions?
Thanks,
philroswit
#14
Posted 19 September 2005 - 07:34 PM
after it opens in modzilla, go to file, then save page as......
save it has a .vbs on your desktop
Excal
save it has a .vbs on your desktop
Excal
#15
Posted 06 October 2005 - 10:55 PM
Dear Excal:
I replied to this post the other day and it didn't post for some reason. I must have hit the wrong key.
I am sorry it took so long for me to get back, I am working 12 hour days and it leaves little time for computer time.
I ran the winpfind program. It ran all night and finally I stopped it the next morning.
I then ran silent runners. I have posted the log from this.
My computer works fine, it just takes a long time to boot when I turn it on. Like three minutes before the icons appear.
Anyway, check this log out and let me know what you think.
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Lexmark 5200 series" = ""C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"" ["Lexmark International, Inc."]
"LXBTCATS" = "rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16" [MS]
"FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [null data]
"(Default)" = (empty string)
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"RegistryMechanic" = (empty string)
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShareWallpaper.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINNT\system32\NASCAR~1.SCR" (nascarscreensaver.scr) [null data]
Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]
"NaturalColorLoad" -> shortcut to: "C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe" [empty string]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
LXBTCustomerConnect, LXBTCustomerConnect, "C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTserv.exe" ["Lexmark International, Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]
ptssvc, ptssvc, "C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe" ["KODAK"]
ScsiAccess, ScsiAccess, "C:\WINNT\system32\ScsiAccess.EXE" [null data]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 76 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 18 seconds.
---------- (total run time: 132 seconds)
Thank you,
philroswit
I replied to this post the other day and it didn't post for some reason. I must have hit the wrong key.
I am sorry it took so long for me to get back, I am working 12 hour days and it leaves little time for computer time.
I ran the winpfind program. It ran all night and finally I stopped it the next morning.
I then ran silent runners. I have posted the log from this.
My computer works fine, it just takes a long time to boot when I turn it on. Like three minutes before the icons appear.
Anyway, check this log out and let me know what you think.
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"NvCplDaemon" = "RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup" [MS]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Lexmark 5200 series" = ""C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"" ["Lexmark International, Inc."]
"LXBTCATS" = "rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16" [MS]
"FaxCenterServer" = ""C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s" [null data]
"(Default)" = (empty string)
"NAV Agent" = "C:\PROGRA~1\NORTON~1\navapw32.exe" ["Symantec Corporation"]
"RegistryMechanic" = (empty string)
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\nvshell.dll" ["NVIDIA Corporation"]
"{59850401-6664-101B-B21C-00AA004BA90B}" = "Microsoft Office Binder Unbind"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\1033\UNBIND.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShareWallpaper.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"SCRNSAVE.EXE" = "C:\WINNT\system32\NASCAR~1.SCR" (nascarscreensaver.scr) [null data]
Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]
"NaturalColorLoad" -> shortcut to: "C:\Program Files\SEC\Natural Color\NaturalColorLoad.exe" [empty string]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar1.dll" ["Google Inc."]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
LXBTCustomerConnect, LXBTCustomerConnect, "C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXBTserv.exe" ["Lexmark International, Inc."]
Norton AntiVirus Auto Protect Service, navapsvc, "C:\Program Files\Norton AntiVirus\navapsvc.exe" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "C:\WINNT\system32\nvsvc32.exe" ["NVIDIA Corporation"]
ptssvc, ptssvc, "C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe" ["KODAK"]
ScsiAccess, ScsiAccess, "C:\WINNT\system32\ScsiAccess.EXE" [null data]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 76 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 18 seconds.
---------- (total run time: 132 seconds)
Thank you,
philroswit
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users