Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

SLAVSSVC.exe [RESOLVED]

Started by btr94 , Oct 11 2005 07:13 PM

  • This topic is locked This topic is locked

#1
btr94
Posted 11 October 2005 - 07:13 PM

btr94

    Member

  • Member
  • PipPip
  • 25 posts
When I start up my Windows XP Professional Dell Dimension 4500, I have an error that comes up saying that memory cannot be accessed. The title of the error is SLAVSSVC.exe

What is this, and how can I get rid of it???????
  • 0

Advertisements

#2
lovethepirk
Posted 14 October 2005 - 04:42 PM

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
Welcome to G2G forums, glad to help you, sorry it has been a while but we are extremely busy here :tazz:

First we need to get a HJT log from you.

Download Hijackthis from here: http://www.spywarein.../HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\

Now run a scan with Hijackthis like this:
  • open up Hijackthis
  • Click Scan and then when finished click Save log
  • Please copy and paste the Hijackthis log for us in your next reply.
We will get you going after this :)

Thanks for your patience,

LTP
  • 0

#3
btr94
Posted 15 October 2005 - 06:46 AM

btr94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:45:09 AM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.depaul.edu/students
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows DLL Services] C:\system.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mediapluscash.exe] C:\WINDOWS\system32\mediapluscash.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S3Jvc25qYXIA\command.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



BTW, what is the limit on posts? It seems I put up too many.

Thanks,
btr94
  • 0

#4
lovethepirk
Posted 15 October 2005 - 05:46 PM

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
There are many users on our forums and we have limited volunteers, you started posting every issue you had in a new topic and cluttered up the board. After we get you cleaned up you can ask me some questions, I will try to answer them to the best of my ability. Let's get you cleaned up first okay?

You have several distinct infections we need to target so let's go :tazz:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download LQfix.exe from one of the following locations:

http://www.downloads...m.org/LQfix.exe
http://miekiemoes.ge...tools/LQfix.exe

Save it to your desktop.
  • Double-Click LQfix.exe and click Next > Next > Install.
  • Leave the default settings, if you change them, the fix will Fail!
  • You need an active Internet connection, so make sure your connection is enabled.
  • Now make sure the "Launch LQfix" box is checked.
  • Click the Finish button, after clicking the Finish button the fix will start.
  • Follow the on-screen prompts.
  • Your system will reboot afterwards.
  • Please be patient after the reboot, there is a script running in the background that needs to complete.
Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe
Save it to your desktop but do NOT run it yet.

Please download, install, update and scan your system with the free version of Ewido trojan scanner:
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • From the main ewido screen, click on update in the left menu, then click the Start update button.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close Ewido now we will run it later in safe mode
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

While still in safe mode run the Ewido Scanner:
  • Open up Ewido Trojan Scanner
  • Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread
Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal REBOOT

These are the logs we need from you now:

A new HJT log
The Ewido scan log
The entire contenets of "log.txt" file in the aproposfix folder.


Thanks,

Lovethepirk
  • 0

#5
btr94
Posted 16 October 2005 - 07:01 AM

btr94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thanks, before I do this, 3 things:

1. My friend who's computer I'm fixing has Norton running. Will Ewido interfere with Norton?

2. I have to run everything in Safe Mode, because I can't start up until SLAVSSVC.exe is removed

3. Could you tell me what viruses are on the computer, as I need to tell my friend every virus she has on there.

Thanks,
btr94
  • 0

#6
lovethepirk
Posted 16 October 2005 - 02:29 PM

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
btr94,
===================================
As I said before we only have so many volunteers and we do not have the time to tell you about every virus/trojan you have running around.

If you would be so kind and considerate to run the directions posted from on now to the best of your ability that would save us both a great deal of time.

Again, after you are fixed you can ask me some questions, but lets get you fixed first, okay?
Hopefully you can understand that we are very professional here and rarely miss anything in a HJT log...I saw you have Norton so I would not have had you run Ewido unless I knew it would work with Norton.

I really want to clean you up, but you are making it a bit tough.
====================================

Now are you stuck in safe mode permnently or is it just that you do not want to boot into normal mode?

If you can boot into normal mode please run the directions to the best of your ability from my last post. If it is possible to boot into Safe Mode w/ Networking) then you might be able to run the directions from above as well :tazz:

If you cannot boot normally or with internet access then here are some new directions for you:
----you will have to download some of these programs from another computer and
then transfer them to your infected machine via a CD-R or flash drive or thrumb drive

Download the following programs to be transfered to the infected computer:

Please download miekiemoes' LQfix batch here:
http://users.telenet...tools/LQfix.zip


Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe


Please download a free version of Ewido trojan scanner:

All three of these prorams will need to get transfered to your infected one.

Once you have done this run these steps:

Unzip LQfix.zip to the desktop, then please run LQfix.bat.

Double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

Open up Ewido and do this:
  • Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
  • If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
  • When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of text file in your next post.
Reboot normally now and this is all we need from you in your next post:

1) The Ewido log
2) The entire contents of the log.txt file in the aproposfix folder.
3) A new HJT
4) Feedback on how things went
  • 0

#7
btr94
Posted 16 October 2005 - 07:02 PM

btr94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thank you soooooooooooo much for your help. I now am able to start up in normal mode without any problems.

Here is the ewido log:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:07:09 PM, 10/16/2005
+ Report-Checksum: AC013ACD

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2D7CB618-CC1C-4126-A7E3-F5B12D3BCF71} -> Spyware.AdBlaster : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E9147A0A-A866-4214-B47C-DA821891240F} -> Spyware.ESD : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6F59D850-A155-4930-98AE-689A2BC7B8E8}\TypeLib\\ -> Spyware.IBIS : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D273D427-57C6-4B12-860F-BBB8195F6E2A} -> Spyware.TOPicks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D273D427-57C6-4B12-860F-BBB8195F6E2A}\TypeLib\\ -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\ngpw34.clsIS\Clsid\\ -> Spyware.AdBlaster : Cleaned with backup
HKLM\SOFTWARE\Classes\ngsw31.clsIS\Clsid\\ -> Spyware.ESD : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{F720B40F-3A38-4B22-B30D-DCF095D42498} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/Program Files/AWS/WeatherBug/MiniBugTransporter.dll\\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MiniBugTransporter.dll\\.Owner -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/MiniBugTransporter.dll\\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SbCIe028.dll\\.Owner -> Spyware.SideStep : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/SbCIe028.dll\\{640B39C1-D713-464F-92C3-75BD972B95EE} -> Spyware.SideStep : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/WUInst.dll\\.Owner -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/WUInst.dll\\{E2F2B9D0-96B9-4B25-B90C-636ECB207D18} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\motoin -> Spyware.Delfin : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0000607D-D204-42C7-8E46-216055BF9918} -> Spyware.TwainTech : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10003000-1000-0000-1000-000000000000} -> Spyware.Axexx : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{13197ACE-6851-45C3-A7FF-C281324D5489} -> Spyware.2nsSearch : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -> Spyware.SearchMiracle : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2D7CB618-CC1C-4126-A7E3-F5B12D3BCF71} -> Spyware.AdBlaster : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{60112085-E1CE-4E0E-823A-EBB1AD98804C} -> Spyware.VirtuMonde : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{640B39C1-D713-464F-92C3-75BD972B95EE} -> Spyware.SideStep : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} -> Spyware.EliteBar : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTree : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{999A06FF-10EF-4A29-8640-69E99882C26B} -> Spyware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CE188402-6EE7-4022-8868-AB25173A3E14} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D714A94F-123A-45CC-8F03-040BCAF82AD6} -> Spyware.SideStep : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DDFFA75A-E81D-4454-89FC-B9FD0631E726} -> Spyware.VX2 : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E9147A0A-A866-4214-B47C-DA821891240F} -> Spyware.ESD : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EBBD88E5-C372-469D-B4C5-1FE00352AB9B} -> Spyware.FavoriteMan : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1060284298-1336601894-1801674531-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAA356E4-D317-42A6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Spyware.NewDotNet : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
C:\Documents and Settings\Krosnjar\Desktop\Bryce Stuff\Trash\No Problems\jrjfnriinu.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Krosnjar\Desktop\Bryce Stuff\Trash\No Problems\medgs1.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Documents and Settings\Krosnjar\Desktop\Bryce Stuff\Trash\No Problems\MediaGateway.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Krosnjar\Desktop\Bryce Stuff\Trash\No Problems\mjkb\tlegqq.exe -> TrojanDownloader.Agent.lg : Cleaned with backup
C:\WINDOWS\876029.exe -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\bundle_mediamotor1004.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\mm81.ocx -> TrojanDownloader.VB.ov : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\mm81.ocx -> TrojanDownloader.VB.ov : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\mm81.ocx -> TrojanDownloader.VB.ov : Cleaned with backup
C:\WINDOWS\invitessk.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\mm81.ocx -> TrojanDownloader.VB.ov : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\S3Jvc25qYXIA\asappsrv.dll -> Spyware.CommAd : Cleaned with backup
C:\WINDOWS\system32\app2bundle.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\bi2.exe/bi.dll -> Spyware.BiSpy : Cleaned with backup
C:\WINDOWS\system32\bi2.exe/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
C:\WINDOWS\system32\bi2.exe/bi.dll -> Spyware.BiSpy : Cleaned with backup
C:\WINDOWS\system32\bi2.exe/biprep.exe -> Trojan.Bispy.B : Cleaned with backup
C:\WINDOWS\system32\BO2802040113.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\in8b2s.dll -> Adware.eZula : Cleaned with backup
C:\WINDOWS\system32\mediapluscash.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\MoreResultsSetup.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\msbb321.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINDOWS\system32\NNSCAA638.EXE -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\qool3.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\system32\sav2.exe -> TrojanDownloader.Agent.vp : Cleaned with backup
C:\WINDOWS\system32\testit.exe -> TrojanDownloader.IstBar.is : Cleaned with backup


::Report End

Here is the log.txt from AproposFix:

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Krosnjar\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CyPjtAH7YSED]
"Device"="\\\\.\\vQBdKEyP"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\rasparhm9.sys"
"DriverName"="PolScan"
"HideUninstallerName"="C:\\Program Files\\Noraol\\nvacltui.exe"
"HDll"="C:\\WINDOWS\\system32\\edlmedia.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.SAV2"
"InstallationId"="{X2042de3-8c73-4b62-f7c4-4be13f1c6388}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Noraol\\slavssvc.exe"
"AutoUpdater"="C:\\WINDOWS\\system32\\vdmssenh.exe"
"Version"="2.0.81"
"LastAURestoreMsgTS"="2005:10:14-12:13:44:593"

--
[HKEY_LOCAL_MACHINE\Software\Aprps]

[HKEY_LOCAL_MACHINE\Software\Aprps\Client]
"PartnerId"="WB.VER2"


************

Removing hidden service:
Service PolScan removed.

Removing hidden folder:
Deletion of folder Noraol succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\rasparhm9.sys succeeded!
Deletion of file C:\WINDOWS\system32\vdmssenh.exe succeeded!
Deletion of file C:\WINDOWS\system32\edlmedia.dll succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CyPjtAH7YSED]
[-HKEY_CURRENT_USER\Software\Aprps]
[-HKEY_LOCAL_MACHINE\Software\CyPjtAH7YSED]
[-HKEY_LOCAL_MACHINE\Software\Aprps]

Done!

Finished!

Here is the new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 7:48:44 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.depaul.edu/students
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows DLL Services] C:\system.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S3Jvc25qYXIA\command.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I also ran a HJT log in normal mode after this previous one:

Logfile of HijackThis v1.99.1
Scan saved at 7:59:33 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.depaul.edu/students
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows DLL Services] C:\system.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\S3Jvc25qYXIA\command.exe (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Everything is fine now, except that "Scan with ewido" replaced "Scan with NortonAntiVirus" on the right-click menu, and every 10-20 seconds in normal mode I get a Norton "Security Alert" that reads the following:

Your computer is at risk in the following areas:
-Virus protection is turned off
Open your Norton product to resolve these issues.

[checkbox] To prevent duplicated security status alerts, use my existing Norton product alerts and turn off redundent Windows Security Center alerts. (Recommended)

...Then I went into Norton and clicked on where it said Auto-Protect, and then clicked Enable. I waited a few minutes, and it didn't enable it, and the above alert keeps coming up. Also, on GTG, can you close your own topic??

Thanks,
btr94
  • 0

#8
lovethepirk
Posted 17 October 2005 - 07:47 AM

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
Nice work on our instructions :)
You still have some bad files running around so stick with us. We will close this thread after you are clean of any infections. Let's get you sparkling clean first :tazz:

You have one (or more) of these programs running on your machine and that is good.

Winpatrol
Spywareguard
Spybot s&d (Teatimer option)

But while we do the next part of the fix for your problems it(they) will complain and give you the option of cancelling the changes we are doing with hijackthis.
When they do, please allow those changes to be made, or the problem lines will not be removed from your hijackthis log.

Go to add/remove programs and uninstall Ewido from the list.

Scan with HijackThis again and place a check next to these items:

O4 - HKLM\..\Run: [Windows DLL Services] C:\system.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\system32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINDOWS\system32\opr.exe

This is part of QuickTime from Apple Computer. It is not required for QuickTime to work, and can be removed.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

This process starts some Microsoft components, however it is not needed at start-up and it's a resource hog.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

I also see that you have restrictions on your Internet Explorer browser. If neither you nor your administrator has set these restrictions, you may also choose to have HijackThis fix these additional two lines.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all other windows except HijackThis, and hit Fix Checked

Navigate to the following files/folders and delete these:
C:\system.exe
C:\WINDOWS\system32\medgs1.exe
C:\WINDOWS\system32\opr.exe
C:\WINDOWS\S3Jvc25qYXIA------->delete this folder as well if it is there


If for some reason you cannot find these files please try unhiding the files then go after them again:
Make sure you can see all hidden files, please follow the directions here

Open HijackThis Again. Click Config in the lower right > Misc Tools > Delete and NT Service

Paste in this;

cmdService

and click 'OK'

Close HijackThis.

Reboot your machine

Post another HJT log for us to look at with feedback on how things went.

Thanks for the good work!

Lovethepirk
  • 0

#9
btr94
Posted 17 October 2005 - 03:26 PM

btr94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thank you so much. Everything is running very smoothly.
Here is the HJT log you asked for:
Logfile of HijackThis v1.99.1
Scan saved at 4:23:55 PM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\Imapi.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.depaul.edu/students
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BTW,

Every 10-20 seconds in normal mode I get a Norton "Security Alert" that reads the following:

Your computer is at risk in the following areas:
-Virus protection is turned off
Open your Norton product to resolve these issues.

[checkbox] To prevent duplicated security status alerts, use my existing Norton product alerts and turn off redundent Windows Security Center alerts. (Recommended)

...Then I went into Norton and clicked on where it said Auto-Protect, and then clicked Enable. I waited a few minutes, and it didn't enable it, and the above alert keeps coming up.


This is still a major problem and is annoying me. Do you have any clue why this is coming up?

Thanks,
btr94
  • 0

#10
lovethepirk
Posted 17 October 2005 - 08:23 PM

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
Your log looks much better now :tazz:

Since you were badly infected I would like you to run one more online scan and save a log of what it finds for us.

Please run the Panda scan here:
http://www.pandasoft.../activescan.htm
Choose to "Disinfect automatically," and follow the prompts. Delete any viruses found, and save a panda log for us.


Next what Version of Norton are you using and is it paid for and up-to-date. If it is not up-to-date(ie. paid for) then that could be an issue:

Check out this link and run the automated tool and other tips to see if we can get that working again.
---you can skip the "check for infections" area of that link because I think you are pretty clean :)
http://service1.syma...rc=sg#_Section5

Once you have tried all this please reboot and see if Norton is working again.

Post another HJT log for good measure, the panda log, and let us know how norton is working.

Thanks,

Lovethepirk
  • 0

Advertisements

#11
lovethepirk
Posted 17 October 2005 - 08:24 PM

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
edit: accidental duplicate post.

Edited by lovethepirk, 17 October 2005 - 08:28 PM.

  • 0

#12
btr94
Posted 21 October 2005 - 02:06 PM

btr94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
The panda scan ran, and it didn't find anything. I found out what was wrong with Norton, and I have to completely reinstall it. I'm in the process of getting the CD.

Thanks,
btr94
  • 0

#13
lovethepirk
Posted 22 October 2005 - 11:26 AM

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
Btr94,

After you reinstall Norton, please post another HJT log for us to take a last look at. Sounds like things are better, that is good to hear.

Thanks,

LTP
  • 0

#14
btr94
Posted 24 October 2005 - 07:23 PM

btr94

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Thanks for your help
Here is the HJT log...


Logfile of HijackThis v1.99.1
Scan saved at 8:22:19 PM, on 10/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.depaul.edu/students
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...rl/LSSupCtl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...rl/SymAData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thanks,
btr94
  • 0

#15
lovethepirk
Posted 25 October 2005 - 07:45 PM

lovethepirk

    Visiting Staff

  • Member
  • PipPipPip
  • 528 posts
Your log looks excellent :tazz:

Here are some preventive measures you can take to keep your computer from getting infected again. Also keep all these and Ad-aware SE and Spybot updated.

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:
1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer. You CANNOT complete this update using an alternate browser.
http://v5.windowsupd...t.aspx?ln=en-us
http://www.microsoft.../ie/default.asp

2. Run your antivirus software regularly, and to keep its definitions up-to-date. If you are thinking about switching, there are a some good free Antivirus programs that are decent, including AVG and Avast!.
AVG: http://free.grisoft.com/doc/1
Avast: http://www.avast.com...ast_4_home.html

3. In addtion to using Ad-aware consider using another free malware scanning/removal program:
Adaware SE: http://www.download....ubj=dl&tag=top5
Spybot S&D: http://www.download....tml?tag=lst-0-1
MS Antispyware beta: http://www.microsoft...re/default.mspx

4. Consider using a free firewall if you are not already using one. Some good free ones are:
Sygate: http://smb.sygate.co...pf_standard.htm
Zone Alarm: http://www.zonelabs....n.jsp?lid=ho_za

5. Consider using an alternate free browser for general web surfing but you must use IE for windows update.
Mozilla Firefox: http://www.mozilla.o...oducts/firefox/

6. Consider increasing your browser security by using these programs:
SpywareGuard will protect your homepage from being hijacked: http://www.javacools...ywareguard.html
SpywareBlaster will increase browser protection by blocking hundreds of known malware sites by adding them to IE's restricted sites zone. Download it here: http://www.javacools...areblaster.html

If you use SpywareBlaster, you can also use a customblocklist to add even more entries into IE restricted sites zone. Go to this site for the current list and how to use instructions: http://customblockinglist.cjb.net/

IE-SPYAD is similar in that it adds thousands more known malware sites to IE's restricted zone. Download it here:
https://netfiles.uiu...ww/resource.htm

*Remember just like your primary anti-virus software, it is important to keep all of these programs up-to-date and use them on a regular basis.


Good luck!!!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP