[makihara]

Hello

Problem: can't launch task manager

when typing run taskmgr i get error "another program is using this file"

no other known problems

thanks for any help, here's my log

Logfile of HijackThis v1.99.1
Scan saved at 15:57:10, on 26/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\winupdates\winupdates.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

[Advertisements]

Hi makihara, Welcome to GTG !!

Sorry for the delay in reviewing your post

Since it has been so long, lets begin by downloading and running a few programs to help clean things up :

Download and Install Ewido Security Suite© by Ewido Networks
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
Close Ewido when updates finish

Download and Install CCleaner© by CCleaner.com

Run Ewido Security Suite
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE:During some scans with ewido it is finding cases of false positives.**See Below**

**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report.txt file to your desktop.
Now close Ewido Security Suite.

Run CCleaner
SETUP
DO NOT USE THE ISSUES TAB!!!!
Open CCleaner
Options, Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours" (for cleaning malware files!)

Options, Settings: Check "Run CCleaner when system starts" (optional)
Options, Settings: Check "Add 'Run Cleaner' option to Recycle Bin context menu" (optional)

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file once and hit OK) :
* C:\Windows\Temp\
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Hit OK
In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders
Then click on Run Cleaner.
Put check in box to not show message again.
It will automatically clean.

Close out CCleaner.

Now run TrendMicro Housecall
Note: you must use Internet Explorer, other browsers will not work.
Under "Scan your PC", please click Scan now. It's free!
Select your location and click the Go button.
Click the red magnifying glass button.
Select Complete Scan.
Please be patient while Housecall downloads.
Please allow the ActiveX Control and when prompted click install
Put a check next to My Computer
Leave the following checked:
Scan for Spyware
Check security vulnerabilities
Click the Next button.
It will download the latest scan engine and pattern files.
When the definitions have been downloaded, the scan will start.
After it's done scanning it will take you to the summary page.
Click the Next button.
Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK.
Click the Next button to move onto the recovery (final) portion of the scan.
After everything has been removed, please click the show button on everything.
Highlight all the of text and press CTRL + C to copy the text.

Now please run HijackThis again

Reboot and post the new HijackThis Log, Ewido Log, and the Housecall Scan Log here.

Edited by Linkmaster, 31 October 2005 - 08:24 AM.

[Linkmaster]

Hi makihara, Welcome to GTG !!

Sorry for the delay in reviewing your post

Since it has been so long, lets begin by downloading and running a few programs to help clean things up :

Download and Install Ewido Security Suite© by Ewido Networks
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
Close Ewido when updates finish

Download and Install CCleaner© by CCleaner.com

Run Ewido Security Suite
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE:During some scans with ewido it is finding cases of false positives.**See Below**

**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report.txt file to your desktop.
Now close Ewido Security Suite.

Run CCleaner
SETUP
DO NOT USE THE ISSUES TAB!!!!
Open CCleaner
Options, Advanced: Uncheck "Only delete files in Windows Temp folders older than 48 hours" (for cleaning malware files!)

Options, Settings: Check "Run CCleaner when system starts" (optional)
Options, Settings: Check "Add 'Run Cleaner' option to Recycle Bin context menu" (optional)

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder):

Options>CustomFolders>Add Folder>Navigate to these folders (click on bold file once and hit OK) :
* C:\Windows\Temp\
* C:\Windows\Prefetch
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ (This will delete all your cached internet content including cookies.)
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
Hit OK
In left pane, scroll down to "Advanced, Custom Folders", put a check in Custom Folders
Then click on Run Cleaner.
Put check in box to not show message again.
It will automatically clean.

Close out CCleaner.

Now run TrendMicro Housecall
Note: you must use Internet Explorer, other browsers will not work.
Under "Scan your PC", please click Scan now. It's free!
Select your location and click the Go button.
Click the red magnifying glass button.
Select Complete Scan.
Please be patient while Housecall downloads.
Please allow the ActiveX Control and when prompted click install
Put a check next to My Computer
Leave the following checked:
Scan for Spyware
Check security vulnerabilities
Click the Next button.
It will download the latest scan engine and pattern files.
When the definitions have been downloaded, the scan will start.
After it's done scanning it will take you to the summary page.
Click the Next button.
Click the drop-down to choose delete or remove on each bad guy found, if you receive a prompt click OK.
Click the Next button to move onto the recovery (final) portion of the scan.
After everything has been removed, please click the show button on everything.
Highlight all the of text and press CTRL + C to copy the text.

Now please run HijackThis again

Reboot and post the new HijackThis Log, Ewido Log, and the Housecall Scan Log here.

Edited by Linkmaster, 31 October 2005 - 08:24 AM.

[makihara]

Hello, thanks for your response

i kind of got tired of waiting a bit so i went and traveeled back in time to a system restore point.

that fixed the problem of task manager being hijacked.

but i do have other problems with my computer so if we continue anyway.


while running ewido i had to stop the search and then restart it which means the log i saved does not contain all that was removed by the first scan. Sorry about that. A few other quibbles as well with ewido:

-a message saying "file is embedded within folder do you want to delet file" (i said no)
-1 high risk program which i was'nt sure about (i didn't delete)


Anyway here is that log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 19:46:20, 01/11/2005
+ Report-Checksum: 6BBB48EF

+ Scan result:

C:\WINDOWS\system32\TFTP2520 -> Heuristic.Win32.Morphine-Crypted : Ignored
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\ogkc7ifd.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\Learn More About Save!.url -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\Learn More About SaveNow.url -> Spyware.SaveNow : Cleaned with backup
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\WhenU.com Website.url -> Spyware.SaveNow : Cleaned with backup
C:\HJT\backups\backup-20050215-084025-311.dll -> Spyware.EliteBar : Cleaned with backup
C:\Program Files\AdStatus Service\AdStatKeep.exe -> Spyware.WinAD : Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\Save\ReadMe.txt -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\Save\store.db -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\winupdates\a.tmp -> Worm.VB.an : Cleaned with backup
C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\WINDOWS\addins\ms.exe -> Trojan.Hiddenrun : Cleaned with backup
C:\WINDOWS\addins\sc.ocx -> Backdoor.Zapchast : Cleaned with backup
C:\WINDOWS\cxtpls_loader.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\ringtone.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\ringtone.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\ringtone.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\ringtone.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\sql2k3.exe/ms.exe -> Trojan.Hiddenrun : Error during cleaning
C:\WINDOWS\system32\70tovmto.ini -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\2Q23CZCM\cxtpls_loader[1].exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F1WJJPZH\istbar_mainstream[1].dll -> TrojanDownloader.IstBar.ge : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\F1WJJPZH\sidefind[1].exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G66NKQDQ\istdownload[1].exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G66NKQDQ\silent_install[1].exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G66NKQDQ\webrebates_europe[1].exe -> Spyware.WebRebates.g : Cleaned with backup
C:\WINDOWS\system32\dust -> TrojanDownloader.Ftp.i : Cleaned with backup
C:\WINDOWS\system32\elitedoolsav.dat -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\Temp\AutoUpdate0\auto_update_uninstall.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\Temp\fkdZ9Ah.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\Temp\sidefind.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\Temp\suicidetb.exe -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\Temp\webrebates.exe -> Spyware.WebRebates.g : Cleaned with backup
C:\WINDOWS\Temp\~apropos0\uninstaller.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\Temp\~apropos0\WinGenerics.dll -> Spyware.AproposMedia : Cleaned with backup


::Report End


runnning ccleaner....no problems


trendmicrohousecall...hmm the guideline you posted doesn't follow with the link you gave me. There was no "show" button so no log unfortunately. Maybe i didn'nt let it finish...nah that can't be it.


ok now hijackthis:


Logfile of HijackThis v1.99.1
Scan saved at 21:18:03, on 01/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


Thanks for all your help
makihara

[Linkmaster]

Your log looks clean now !!

Sorry about the link here is the new one :

TrendMicro Online Virus Scan

If you would run that one, or run this one :
Kaspersky WebScanner
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Post the log and let me know how your system is running !!

Edited by Linkmaster, 02 November 2005 - 05:51 AM.

[makihara]

Hello again

here's the log from "Kapersky"

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 02, 2005 22:21:03
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 2/11/2005
Kaspersky Anti-Virus database records: 157841
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 53121
Number of viruses found: 24
Number of infected objects: 79
Number of suspicious objects: 0
Duration of the scan process: 2812 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL 5.01/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL 5.01/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL 5.01/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL 5.01/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL 5.01 Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL4.5.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL4.5.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL4.5.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL4.5.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\BSINSTALL4.5.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Documents and Settings\Owner\Desktop\Files\Installed Programs\mirc616.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Program Files\BearShare\Installer\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Program Files\BearShare\Installer\BSINSTALL.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\Program Files\Common Files\Ulead Systems\DVD\ulStreamCache.dll Infected: not-a-virus:AdWare.Win32.Castrul.a
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Program Files\Norton AntiVirus\Quarantine\074D0CB2.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\076873AB.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\115A6F81.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\12F21FD1.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\16746153.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\169C31CA.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\169F5BC6.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\35F6386D.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\4B7E356F.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\4F782907.exe Infected: Backdoor.Win32.IRCBot.az
C:\Program Files\Norton AntiVirus\Quarantine\4F782907.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\4F782907.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\4F782907.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\4F782907.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\4F782907.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\4F7B5303.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\4F7F7D00.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\4F8226FC.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\5B806FFC.exe Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton AntiVirus\Quarantine\61A67D38.exe Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton AntiVirus\Quarantine\64370462.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\68EC0934.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\69345182.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\699A4829.exe Infected: Exploit.Win32.WebDav.n
C:\Program Files\Norton AntiVirus\Quarantine\6C724D54.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\6E252B29.exe Infected: Trojan-Clicker.Win32.Small.di
C:\Program Files\Norton AntiVirus\Quarantine\6EFC7E3C.exe Infected: not-a-virus:AdWare.Win32.MDH.a
C:\Program Files\Norton AntiVirus\Quarantine\6F3447FF.exe Infected: Backdoor.Win32.Rbot.gen
C:\Program Files\Norton AntiVirus\Quarantine\7BC2367B.exe Infected: Trojan-Clicker.Win32.Small.di
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP208\A0029653.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP208\A0029653.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP208\A0029653.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP208\A0029653.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP208\A0029653.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP208\A0029663.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP208\A0029663.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP208\A0029663.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP208\A0029663.exe/WISE0027.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP208\A0029663.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP220\A0030676.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP220\A0030677.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bc
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP237\A0031974.exe Infected: Worm.Win32.VB.an
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP238\A0032060.exe Infected: Worm.Win32.VB.an
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP238\A0032061.exe Infected: Worm.Win32.VB.an
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP242\A0033400.dll Infected: not-a-virus:AdWare.Win32.EliteBar.z
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP242\A0033401.exe Infected: not-a-virus:AdWare.Win32.WinAD.k
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP242\A0033402.exe/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP242\A0033402.exe/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP242\A0033402.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP242\A0033403.exe Infected: not-a-virus:RiskTool.Win32.HideRun
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP242\A0033404.ocx Infected: Backdoor.IRC.Zapchast
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP242\A0033405.exe Infected: not-a-virus:AdWare.Win32.Apropos.b
C:\System Volume Information\_restore{12A76E5B-5F5B-4C01-982A-6103E6D20B56}\RP242\A0033406.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\WINDOWS\addins\pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill
C:\WINDOWS\sql2k3.exe/ms.exe Infected: not-a-virus:RiskTool.Win32.HideRun
C:\WINDOWS\sql2k3.exe/pskill.exe Infected: not-a-virus:NetTool.Win32.PsKill
C:\WINDOWS\sql2k3.exe/mstask32.exe Infected: Backdoor.Win32.mIRC-based
C:\WINDOWS\sql2k3.exe/sca.exe Infected: Exploit.Win32.WebDav.n
C:\WINDOWS\sql2k3.exe/svchost.exe Infected: not-a-virus:RiskTool.Win32.HideWindows
C:\WINDOWS\sql2k3.exe/sc.ocx Infected: Backdoor.IRC.Zapchast
C:\WINDOWS\sql2k3.exe Infected: Backdoor.IRC.Zapchast

Scan process completed.

[Linkmaster]

Show Hidden Files :
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Do Not Run This Yet
Download and Install Ad-aware SE© by Lavasoft
NOTE: If you have a previous version of Ad-Aware installed, during the installation of the new version (1.06) you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
Close ALL windows except Ad-Aware SE.

Click on the ‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
Close Adaware SE

Delete the files in Norton's Quarantine folder

Go to Start, Control Panel, Add/Remove Programs
Uninstall these entries : (if present)

Save Now
winupdates

**Turn off System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
Check "Turn off System Restore"
Click Apply, then click OK and Reboot

**Turn ON System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
UN-Check "Turn off System Restore"
Click Apply, then click OK

Setup & Run AdAwareSE
Click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:

In the General window make sure the following are selected in green:

Under Safety:
Automatically save log-file
Automatically quarantine objects prior to removal
Safe Mode (always request confirmation)

Under Definitions:
Prompt to update outdated definitions - set the number of days
Click on the ‘Scanning’ button on the left and select in green:

Under Driver, Folders & Files:
Scan Within Archives

Under Select drives & folders to scan:
Choose all hard drives

Under Memory & Registry:all green
Scan Active Processes
Scan Registry
Deep Scan Registry
Scan my IE favorites for banned URL’s
Scan my Hosts file

Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
Move deleted files to recycle bin

Under Logfile Detail Level:all green
include addtional object information
DESELECT - include negligible objects information
include environment information

Under Alternate Data Streams:
Don't log streams smaller than 0 bytes
Don't log ADS with the following names: CA_INOCULATEIT

Click the ‘Tweak’ button and select in green:

Under Scanning Engine:
Unload recognized processes during scanning
Scan registry for all users instead of current user only

Under Cleaning Engine:
Let Windows remove files in use at next reboot

Under Log Files:
Include basic Ad-aware SE settings in logfile
Include additional Ad-aware SE settings in logfile
Please do not check: Include Module list in logfile

Click on Proceed to save the settings.

Click Start

Choose Perform Full System Scan

DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

Click Next and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

Click on Next and check all the boxes in the window

Click Next and OK to remove

Close AdawareSE

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

Press control-alt-delete and end the following processes by clicking once on them and then clicking the End Process button: (if present)

sql2k3.exe
pskill.exe

Exit the Task Manager

Open Windows Explorer, locate and Delete the following files in BOLD : (if present)

C:\WINDOWS\sql2k3.exe (delete if you did not install SQL)
C:\WINDOWS\addins\pskill.exe

While Windows Explorer is still open, locate and Delete the following folders in BOLD : (if present)

C:\Program Files\winupdates

Reboot to Normal Mode and post a fresh HijackThis log as a precaution.

Let us know how your system is running !!

Edited by Linkmaster, 03 November 2005 - 09:16 AM.

[makihara]

hello

thanks again for your help

notes: nothing recognised in adaware
in safe mode i deleted both files you mentioned

not sure what you meant by "delete if you did not install SQL"

so here's my log

Logfile of HijackThis v1.99.1
Scan saved at 19:54:12, on 04/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.broadband.blueyonder.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.broadband.blueyonder.co.uk
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


kind regards
james

[Linkmaster]

Im sorry, I should have made myself more clear. If you didnt install any programs using SQL then delete the file. My mistake!!

Did you also delete the winupdates folder??

How is your system running now ??

Congratulations! Your log is CLEAN !!

Here are a few tools that I recommend for protecting your system and keeping your system clean !!

Real Time Prevention
SpywareBlaster

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, select all, protect against checked. All done. Check for updates every couple of weeks. If you have any errors running the program like a missing file see the link at the bottom of the javacool page.
IESpyad© by EHowes : This will add several hundred Restricted Sites to the Restricted site zone in IE.

Cleaner:
CCleaner is a good app to clean out temp files, cookies, recent folder(win2000) and Prefetch folder(XP), etc

Spyware Scanners:
Ad-aware SE Scans your system for spyware and other threats
a² Scanner : Scans for Malware and Trojans on your system.

Good Free Antivirus Programs:
AVG
Avast!
NOTE:Remember always have just 1 antivirus program running at a time. Having more than one running causes a conflict between the programs !! You can use one as a backup to run manually

Windows Update:
It's also very important to keep your system up to date to avoid unnecessary security risks
Windows Update

Firewalls:
If you have an "always on " internet connection, such as DSL or Cable, I recommend a Firewall.
A firewall will make your pc invisible to the outside world and will filter the outgoing and incoming traffic on your pc.
For a good idea of how vulnerable your system(s) are go to GRC
Scroll down to "Shields Up" Click on "Proceed" Then click on "Common Ports"to scan your ports.
2 very good Firewalls:
Sygate
ZoneAlarm

These next steps are optional, but will provide the greatest protection
Use ANY browser besides Internet Explorer, almost every exploit is crafted to take advantage of an IE weakness.
Alternative Browsers:
FireFox
Opera

Sun's Java. It's much more secure than Microsoft's Java Virtual Machine .

It's okay to delete the HijackThis folder if everything is working okay.

Always keep your Antivirus & Spyware Removal Tools current with the latest definitions and updates !!

Using these tools and keeping them updated will reduce the risk of future infections!!

Do you have any questions??

Edited by Linkmaster, 05 November 2005 - 01:28 AM.

[makihara]

So, my system is clean
thanks very much

oh and yes i deleted the winupdates folder.
my system has been runnning fine since i used system restore. But you know there's always little things that you don't realise are there. So thanks for helping me with that.
Actually there still is one possible problem. I was wondering if you could tel me a little about the system idle process in task manager. I know it's meant to use a high amount of CPU but mine seems to use quite a lot more, even when the computer is not idle.

pretty much everything you mentioned i have installed

except i have spybot s and d, not a^2 scanner.

oh and i only have windows firewall, which i know isn't very good but when i tryed the test you suggested i passed 100%.

Your system has achieved a perfect "TruStealth" rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.

so i don't know if i need the firewall now?

oh and i'm still a bit confused by this SQL thing. what exactly does SQL stand for and what is it?

thanks so much
kind regards
james

[Linkmaster]

You are very welcome ! Glad I could help

Windows Firewall isnt as "Feature Rich" as the third party ones I suggested.
Here are a few links to read up on it and various opinions so you can decide:
http://www.microsoft...p2_wfintro.mspx
http://www.flexbeta....tion=show&id=76
http://www.pcworld.c...d,117380,00.asp

SQL stands for Structured Query Language
SQL is an ANSI (American National Standards Institute) standard computer language for accessing and manipulating database systems. SQL statements are used to retrieve and update data in a database. SQL works with database programs like MS Access, DB2, Informix, MS SQL Server, Oracle, Sybase, etc.

System Idle Process:
Not an expert on that but mine , for instance is :
CPU : 99
Mem Usage : 20k
the System Idle Process is not a process, more a counter which is displayed in WinTasks used for measuring how much idle time the CPU is having at any particular time. This counter will display how much CPU Resources, as a percentage are 'idle' and available for use.

Hope that helps !

If you dont have any problems I will mark this Thread as "Resolved" !

Glad to be of help!!

Edited by Linkmaster, 05 November 2005 - 03:59 AM.

[makihara]

super duper, thanks again

james

[Linkmaster]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.