Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Can't Get Rid of Remaining Pop-Ups [RESOLVED]

Started by Cyberkashi , Nov 16 2005 09:31 AM

This topic is locked

#1
Cyberkashi

Posted 16 November 2005 - 09:31 AM

New Member

Member
8 posts

I downloaded and opened a file from a questionable source and totally hosed my new system. Since I had spent close to 3 weeks configuring it I am determined to clean it rather than wipe the 50GB of data on it.

I have confirmed that in the last 36 hours I have had and mostly removed the following problems:
Spy Sheriff |Apropos.c | Look2Me (removed multiple times but seems to come back) | Target Saver | KorgoWorm Gen | NDotNet | Zesty Find | I Search | Dollar Revenue | AND A HOST OF TROJANS TOO NUMEROUS TO NAME.

I have spent the better part of that 36 hours running: Ad-Aware, Norton Anti-Virus, Trend Micro Anti-Spy | SpyBot Search & Destroy | S_t_i_n_g_e_r | CW Shredder | Ad-Watch

I have slewthed the names of the various files and crawled through sections of the registry and my hard disk (through Windows and CMD), deleting what I could identify and unload. I have mostly recovered from a desktop with no icons and no functional start menu to a mostly functional system with annoying popups. I am hoping one of you can get me through this last stretch.

One note: I ran a VX2nasty add-in utility from Ad-Aware and got a message that I may have a new variant of VX2. I reported it and sent them a copy of the log file.

Below is my log file from Hijack This.

I am curious about that Host: .com line since I seem to be getting a recurring group of popup adds on my desktop.

Logfile of HijackThis v1.99.1
Scan saved at 10:29:52 AM, on 11/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Anti-Spyware\Tmas.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: .com
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 6\SnagItIEAddin.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Ad-Aware] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" +c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Anti-Spyware\Tmas.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_98.dll' missing
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129596810503
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\hr4m05h1e.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

Edited by Cyberkashi, 16 November 2005 - 09:33 AM.

#2
Rawe

Posted 16 November 2005 - 11:00 AM

Visiting Staff

Member
4,746 posts

Hello and welcome..

Download Hoster.zip:

Unzip Hoster to a convenient folder such as C:\Hoster.
Run Hoster.exe from its new home.
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Original Hosts and then click OK.
Click the X to exit the program.

After that..

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link under to "SpySweeper" to download the program.
Install it. Once the program is installed, it will open.
It will prompt you to update to the latest definitions, click Yes.
Once the definitions are installed, click Options on the left side.
Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

#3
Cyberkashi

Posted 16 November 2005 - 05:00 PM

New Member

Topic Starter
Member
8 posts

Thanks for responding Rawe!
I ran Hoster as you suggested and then I ran Hijack This again to see the difference. Hoster got rid of the Hosts : .com file but I didn't notice any other changes.

Webroot Spy Sweeper was awsome. It found all sorts of trogans and backdoors. It did close my quick lauch bar and unload a Windows PowerToy from Microsoft, but I can get those back. Here is the log file from Spy Sweeper.

:tazz:

Is my system clean or is there more to do?

********
5:09 PM: | Start of Session, Wednesday, November 16, 2005 |
5:09 PM: Spy Sweeper started
5:09 PM: Sweep initiated using definitions version 573
5:09 PM: Starting Memory Sweep
5:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:10 PM: Found Adware: icannnews
5:10 PM: Detected running threat: C:\WINDOWS\system32\k8440ihqe84e0.dll (ID = 83)
5:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:11 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:12 PM: Detected running threat: C:\WINDOWS\system32\mdvcrt40.dll (ID = 83)
5:12 PM: Detected running threat: C:\WINDOWS\system32\guard.tmp (ID = 83)
5:12 PM: Memory Sweep Complete, Elapsed Time: 00:02:30
5:12 PM: Starting Registry Sweep
5:12 PM: Found Trojan Horse: trojan-backdoor-zubox
5:12 PM: HKCR\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650832)
5:12 PM: HKCR\clsid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (3 subtraces) (ID = 650833)
5:12 PM: HKLM\software\windows\ || shots (ID = 650869)
5:12 PM: HKLM\software\classes\appid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (ID = 650872)
5:12 PM: HKLM\software\classes\clsid\{78364d99-a640-4ddf-b91a-67eff8373045}\ (3 subtraces) (ID = 650873)
5:12 PM: Found Trojan Horse: spamrelayer_alpiok
5:12 PM: HKCR\clsid\{7368d5fc-6f5c-4f5b-b964-e67214f67852}\ (3 subtraces) (ID = 913291)
5:12 PM: HKLM\software\classes\clsid\{7368d5fc-6f5c-4f5b-b964-e67214f67852}\ (3 subtraces) (ID = 913513)
5:12 PM: Found Adware: trojan-backdoor-lev
5:12 PM: HKCR\clsid\{73f8d5ff-6f5c-4f5b-b964-e6f214f6f852}\ (3 subtraces) (ID = 956440)
5:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:12 PM: Registry Sweep Complete, Elapsed Time:00:00:15
5:12 PM: Starting Cookie Sweep
5:12 PM: Found Spy Cookie: servlet cookie
5:12 PM: cyberkashi@servlet[2].txt (ID = 3345)
5:12 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:12 PM: Starting File Sweep
5:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:12 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:12 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:13 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:14 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:15 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:15 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:16 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:17 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:18 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:19 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:20 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:21 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:22 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:22 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:23 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:24 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:24 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:25 PM: Found Trojan Horse: trojan-backdoor-securemulti
5:25 PM: sysvcs.exe (ID = 188677)
5:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:25 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:25 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:26 PM: Found Adware: spysheriff
5:26 PM: secure32.html (ID = 184319)
5:26 PM: Found Adware: redvpopup
5:26 PM: whip.wav (ID = 73692)
5:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:26 PM: secure32.html (ID = 184319)
5:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:26 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:26 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:27 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:27 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:29 PM: ~update.exe (ID = 188677)
5:29 PM: jfamlbge.exe (ID = 185211)
5:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:29 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:29 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:30 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:30 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:31 PM: pop.wav (ID = 73686)
5:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:31 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:31 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:32 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:32 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:33 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:33 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:33 PM: Found Adware: look2me
5:33 PM: icont.exe (ID = 65739)
5:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:34 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:34 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:35 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:35 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:35 PM: Found System Monitor: potentially rootkit-masked files
5:35 PM: imanmnt.sys (ID = 0)
5:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:36 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:36 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:37 PM: File Sweep Complete, Elapsed Time: 00:25:03
5:37 PM: Full Sweep has completed. Elapsed time 00:27:54
5:37 PM: Traces Found: 36
5:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:37 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:37 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:39 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:40 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:41 PM: Removal process initiated
5:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:41 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:42 PM: Quarantining All Traces: icannnews
5:42 PM: icannnews is in use. It will be removed on reboot.
5:42 PM: C:\WINDOWS\system32\k8440ihqe84e0.dll is in use. It will be removed on reboot.
5:42 PM: C:\WINDOWS\system32\mdvcrt40.dll is in use. It will be removed on reboot.
5:42 PM: C:\WINDOWS\system32\guard.tmp is in use. It will be removed on reboot.
5:42 PM: Quarantining All Traces: look2me
5:42 PM: Quarantining All Traces: potentially rootkit-masked files
5:42 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
5:42 PM: imanmnt.sys is in use. It will be removed on reboot.
5:42 PM: Quarantining All Traces: spamrelayer_alpiok
5:42 PM: Quarantining All Traces: spysheriff
5:42 PM: Quarantining All Traces: trojan-backdoor-securemulti
5:42 PM: Quarantining All Traces: trojan-backdoor-zubox
5:42 PM: Quarantining All Traces: redvpopup
5:42 PM: Quarantining All Traces: trojan-backdoor-lev
5:42 PM: Quarantining All Traces: servlet cookie
5:42 PM: Warning: Launched explorer.exe
5:42 PM: Warning: Quarantine process could not restart Explorer.
5:43 PM: Preparing to restart your computer. Please wait...
5:43 PM: Removal process completed. Elapsed time 00:01:52
********
5:06 PM: | Start of Session, Wednesday, November 16, 2005 |
5:06 PM: Spy Sweeper started
5:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:07 PM: Your spyware definitions have been updated.
5:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
5:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:08 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
5:09 PM: | End of Session, Wednesday, November 16, 2005 |

Edited by Cyberkashi, 16 November 2005 - 05:02 PM.

#4
Rawe

Posted 16 November 2005 - 11:33 PM

Visiting Staff

Member
4,746 posts

We might be finished already, I'd need to see a fresh HijackThis log to confirm it, please. :tazz:

#5
Cyberkashi

Posted 17 November 2005 - 08:55 AM

New Member

Topic Starter
Member
8 posts

I downloaded an installed the new Zone Alarm (the older version gave me a blue screen--not compatable with Service Pack 2). Zone Alarm does a much better job of protecting. I thought I would have been okay with Norton running but it obviously did a lousy job.

Here is a current Hijack this report:

Logfile of HijackThis v1.99.1
Scan saved at 9:51:51 AM, on 11/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Program Files\Anti-Spyware\Tmas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\OPScan.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Ad-Aware] "C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" +c
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6400 on HAGRID] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P34 "Auto EPSON Stylus CX6400 on HAGRID" /O26 "\\HAGRID\EPSONStylusCX6400" /M "Stylus CX6400"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Anti-Spyware\Tmas.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1129596810503
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#6
Rawe

Posted 17 November 2005 - 12:43 PM

Visiting Staff

Member
4,746 posts

Yup, looks clean to me :tazz:

Let's clear out your restore points now.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Reboot.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".

Be sure to set a new restore point.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:

How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

Prevention Programs:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

Other necessary Programs:

AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
Firewall <= A firewall is definatley a must have. Two good free versions are Sygate and ZoneLabs.
More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
EULAlyzer by Javacool <= No need to read End user license agreements when installing software--

# Discover potentially hidden behavior about the software you're going to install
# Pick up on things you missed when reading license agreements
# Keep a saved database of the license agreements you view
# Instant results - super-fast analysis in just a second

And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)

#7
Cyberkashi

Posted 17 November 2005 - 01:25 PM

New Member

Topic Starter
Member
8 posts

Thanks Rawe. You've been awsome!!!

#8
Rawe

Posted 17 November 2005 - 11:13 PM

Visiting Staff

Member
4,746 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.