Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

3600 spyware removed and still i can't deal with..

Started by Remo , Jan 09 2005 02:17 PM

  • Please log in to reply

#1
Remo
Posted 09 January 2005 - 02:17 PM

Remo

    Member

  • Member
  • PipPip
  • 11 posts
Hello everyone, i've got a very serious problem.. i have removed over 3600 viruses/spyware from my computer and i still cannot deal with some of it.. i've tried using Symantec Norton AntyVirus, Ad-Aware 6 and Ewido, all in safe mode and with recent updates.
Most serious problem is the fact, that when I start my WinXP all my settings are being reset ;-/ So after each reboot I have clean Windows, without any settings, I belive it's because temporary user is being used.. but I don't know why or how, so I need your help ;-).

Here is the log from the hijack..

Scan saved at 21:03:11, on 2005-01-09
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Programy\ewido\security suite\ewidoctrl.exe
E:\Programy\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Programy\Norton AntiVirus\navapsvc.exe
E:\Programy\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
E:\Programy\Kerio\persfw.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Admilli Service\AdmilliServ.exe
C:\WINDOWS\System32\CTFMON.EXE
C:\Program Files\Admilli Service\AdmilliKeep.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\Crazy Browser\Crazy Browser.exe
E:\Programy\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Programy\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Programy\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\RunServices: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.14...chm::/trs15.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.xxxtoolba...ect_regular.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.co...kanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9A24DAB-134F-40DA-A329-3B8DC1182644}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{A9A24DAB-134F-40DA-A329-3B8DC1182644}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - E:\Programy\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Programy\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - E:\Programy\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - E:\Programy\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall - Kerio Technologies - E:\Programy\Kerio\persfw.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Programy\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I would be very grateful if someone could help me. :tazz:
  • 0

Advertisements

#2
-=jonnyrotten=-
Posted 09 January 2005 - 03:05 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Try checking something for me real quick before we get started on this log. Go to my computer, double click your C:\ drive, and double click "documents and settings", double click your username, and find a file called "ntuser" now tell me if it is called ntuser.dat or ntuser.man, if it is .man, then rename it to ntuser.dat this will allow you to keep your windows profile changes, when it is named ntuser.man it allows you to change the profile while you're in it and then it goes back to how it was when you logged in when you log off. Next we'll clean the log.

-=jonnyrotten=- :tazz:
  • 0

#3
Remo
Posted 09 January 2005 - 03:18 PM

Remo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, so every file in ../Documents and Settings/ is called ntuser with .dat extension ;-)
  • 0

#4
Remo
Posted 09 January 2005 - 03:19 PM

Remo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
And I didn't change it. :>
  • 0

#5
Metallica
Posted 09 January 2005 - 03:50 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~2.DLL

O4 - HKLM\..\Run: [WIN USB 2.0] winusb.exe

O4 - HKLM\..\Run: [Admilli Service] C:\Program Files\Admilli Service\AdmilliServ.exe
O4 - HKLM\..\RunServices: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\RunServices: [WinProfile] sndcfg16.exe

O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:\foo.mht!http://82.179.166.14...chm::/trs15.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.xxxtoolba...ect_regular.cab

Reboot into safe mode and delete:
C:\Program Files\Admilli Service <= entire folder

Boot normally and post a new HijackThis log

Regards,

Pieter
  • 0

#6
Remo
Posted 09 January 2005 - 04:24 PM

Remo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, so i've done what you said and here's the log..

Logfile of HijackThis v1.99.0
Scan saved at 23:24:42, on 2005-01-09
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Programy\ewido\security suite\ewidoctrl.exe
E:\Programy\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Programy\Norton AntiVirus\navapsvc.exe
E:\Programy\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
E:\Programy\Kerio\persfw.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\CTFMON.EXE
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
C:\Crazy Browser\Crazy Browser.exe
E:\Programy\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Programy\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Programy\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [WIN USB 2.0] winusb.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.co...kanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9A24DAB-134F-40DA-A329-3B8DC1182644}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{A9A24DAB-134F-40DA-A329-3B8DC1182644}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - E:\Programy\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Programy\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - E:\Programy\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - E:\Programy\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall - Kerio Technologies - E:\Programy\Kerio\persfw.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Programy\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#7
Metallica
Posted 09 January 2005 - 04:32 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Did we miss this one, or did it come back?

O4 - HKLM\..\Run: [WIN USB 2.0] winusb.exe

Can you try again and let me know?

Regards,

Pieter
  • 0

#8
Remo
Posted 09 January 2005 - 04:34 PM

Remo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Right, but I thought that you want me to remove WinUSB just from the run services, not from run ;-) I'll do that too.
  • 0

#9
Remo
Posted 09 January 2005 - 04:37 PM

Remo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, now I think it's good :tazz:

Logfile of HijackThis v1.99.0
Scan saved at 23:36:27, on 2005-01-09
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
E:\Programy\ewido\security suite\ewidoctrl.exe
E:\Programy\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\Programy\Norton AntiVirus\navapsvc.exe
E:\Programy\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
E:\Programy\Kerio\persfw.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\CTFMON.EXE
C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
E:\Programy\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Łącza
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Programy\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Programy\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Programy\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\DSLMON.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_06\bin\npjpi142_06.dll
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O16 - DPF: {E7544C6C-CFD6-43EA-B4E9-360CEE20BDF7} (MainControl Class) - http://skaner.mks.co...kanerOnline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A9A24DAB-134F-40DA-A329-3B8DC1182644}: NameServer = 194.204.152.34 217.98.63.164
O17 - HKLM\System\CS1\Services\Tcpip\..\{A9A24DAB-134F-40DA-A329-3B8DC1182644}: NameServer = 194.204.152.34 217.98.63.164
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - E:\Programy\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - E:\Programy\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - E:\Programy\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - E:\Programy\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Kerio Personal Firewall - Kerio Technologies - E:\Programy\Kerio\persfw.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Programy\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#10
Remo
Posted 09 January 2005 - 04:37 PM

Remo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Sorry, I have missed it earlier :tazz:
  • 0

Advertisements

#11
Metallica
Posted 09 January 2005 - 04:46 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
No problem. If I got a dime for everytime that happened.... :tazz:

Now I would install SP2 for IE and XP if I were you.

More tips to enhance your security can be found here:
http://metallica.geekstogo.com/

Regards,

Pieter
  • 0

#12
Remo
Posted 09 January 2005 - 04:49 PM

Remo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thank you kindly :tazz:

But what should I do to convice my Windows XP that I don't what him to load Documents And Settings/TEMP, but from my account? ;-)
  • 0

#13
Metallica
Posted 09 January 2005 - 05:20 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Not sure about this one.

Depends on how badly your own account was damaged I guess.
Can you make a Restore Point before you try this?

Copy the text in bold below into notepad and save it as usershell.reg (set filetype to "All files")

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"AppData"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,41,70,70,6c,69,63,\
61,74,69,6f,6e,20,44,61,74,61,00
"Desktop"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,42,75,72,65,61,75,\
62,6c,61,64,00
"Favorites"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,46,61,76,6f,72,69,\
65,74,65,6e,00
"NetHood"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4e,65,74,48,6f,6f,\
64,00
"Personal"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4d,69,6a,6e,20,64,\
6f,63,75,6d,65,6e,74,65,6e,00
"PrintHood"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4e,65,74,77,65,72,\
6b,70,72,69,6e,74,65,72,6f,6d,67,65,76,69,6e,67,00
"Programs"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4d,65,6e,75,20,53,\
74,61,72,74,5c,50,72,6f,67,72,61,6d,6d,61,27,73,00
"Recent"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4f,6e,6c,61,6e,67,73,\
20,67,65,6f,70,65,6e,64,00
"SendTo"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,53,65,6e,64,54,6f,00
"Start Menu"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4d,65,6e,75,20,\
53,74,61,72,74,00
"Startup"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4d,65,6e,75,20,53,\
74,61,72,74,5c,50,72,6f,67,72,61,6d,6d,61,27,73,5c,4f,70,73,74,61,72,74,65,\
6e,00
"Templates"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,53,6a,61,62,6c,6f,\
6e,65,6e,00
"Cookies"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,43,6f,6f,6b,69,65,\
73,00
"My Pictures"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4d,69,6a,6e,20,\
64,6f,63,75,6d,65,6e,74,65,6e,5c,4d,69,6a,6e,20,61,66,62,65,65,6c,64,69,6e,\
67,65,6e,00
"Local Settings"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4c,6f,63,61,\
6c,20,53,65,74,74,69,6e,67,73,00
"Local AppData"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4c,6f,63,61,\
6c,20,53,65,74,74,69,6e,67,73,5c,41,70,70,6c,69,63,61,74,69,6f,6e,20,44,61,\
74,61,00
"Cache"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4c,6f,63,61,6c,20,53,\
65,74,74,69,6e,67,73,5c,54,65,6d,70,6f,72,61,72,79,20,49,6e,74,65,72,6e,65,\
74,20,46,69,6c,65,73,00
"History"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,4c,6f,63,61,6c,20,\
53,65,74,74,69,6e,67,73,5c,47,65,73,63,68,69,65,64,65,6e,69,73,00


Doubleclick the file you made and confirm you want to merge it with the registry.

Regards,

Pieter

Edited by Metallica, 09 January 2005 - 05:21 PM.

  • 0

#14
Remo
Posted 10 January 2005 - 09:02 AM

Remo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
But shall I make a backup of registry, or files from Documents And Settings/Temp, or sth else? ;-)
  • 0

#15
Remo
Posted 10 January 2005 - 09:11 AM

Remo

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ok, i've done it and there is no change.. but thank you for advices ;-).
Maybe you have another idea? :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP