Post by: Andyboy on January 07, 2005, 03:35:47 PM
I've now downloaded Hijackthis, and am at a loss as to what to do next, other than set fire to my pc.
Any suggestions as to what to do with the following would be much appreciated...
Logfile of HijackThis v1.99.0
Scan saved at 19:23:17, on 07/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {8EB48E63-2152-F316-A524-2B06602A4260} - C:\WINDOWS\sdknk32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [sysxs.exe] C:\WINDOWS\system32\sysxs.exe
O4 - HKLM\..\RunOnce: [sysac.exe] C:\WINDOWS\sysac.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Reboot.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted IP range: (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\winun32.exe (file missing)
Thank you...
Post by: jcurrieirocz on January 07, 2005, 04:44:38 PM
Post by: Andyboy on January 07, 2005, 06:34:45 PM
Cheers
Post by: guestolo on January 07, 2005, 09:25:21 PM
Redownload Hijackthis and save it to a Permanent folder
Important: Create a Permanent folder for Hijackthis
Double Click "MY Computer"
Open your C: drive
Click "File" >>> "New" >>>> "Folder"
A new folder will be created, name it HJT
Now you will have C:\HJT
Download Hijackthis from CLICK HERE (http://\"https://ssl.perfora.net/tools.radiosplace.com/HijackThis.exe\") or CLICK HERE (http://\"http://aumha.org/downloads/hijackthis.exe\")
Save it to that new folder
Once you have done that
Could you also Download and save to desktop ServiceFilter.zip (http://\"http://home.comcast.net/~rand1038/vbscript/ServiceFilter.zip\")
A script by rand1038 that reveals potential unauthorised running services in your system.
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.
Also, post back a Fresh hijackthis log
Post by: Andyboy on January 08, 2005, 02:51:05 PM
Logfile of HijackThis v1.99.0
Scan saved at 18:43:10, on 08/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\sysac.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Envy24\EnMixCPL.exe
C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\sysxs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Office keyboard utility\1.2\MMKEYB.EXE
C:\Program Files\Office keyboard utility\1.2\TrayMon.exe
C:\Program Files\Office keyboard utility\1.2\osd.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\Messenger\msmsgs.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C12F704-431A-97DB-D01E-19248DFCBC19} - C:\WINDOWS\system32\apptf32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [sysxs.exe] C:\WINDOWS\system32\sysxs.exe
O4 - HKLM\..\RunOnce: [sysac.exe] C:\WINDOWS\sysac.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\winun32.exe (file missing)
I also downloaded and ran the service filter script you described, though surprised to find onyl the keyboard driver and norton in it? See below....
The script did not recognize the services listed below.
This does not mean that they are a problem.
To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"
########################################
ServiceFilter 1.1
by rand1038
Microsoft Windows XP Professional
Version: 5.1.2600 Service Pack 2
Jan 8, 2005 18:39:11
===> Begin Service Listing <===
Unknown Service #1
Service Name: nhksrv
Display Name: Netropa NHK Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\office keyboard utility\1.2\nhksrv.exe
State: Running
Process ID: 1820
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True
Unknown Service #2
Service Name: NProtectService
Display Name: Norton Unerase Protection
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\norton antivirus\advtools\nprotect.exe
State: Running
Process ID: 1920
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Finally, I switched to fireox this afternoon, and seem to have much less difficulty with this browser. Still, feel the pc is infected with all sorts....
Suggestions for my next steps much appreciated.
Thanks again..Andyboy
Post by: guestolo on January 08, 2005, 04:31:42 PM
I'm assuming that your using Firefox
So could you please
Download this zipped file Clean.zip <<Removed link
To make that link work properly you will have to Right click on it and Copy Link Location
Paste it to the Firefox Address bar and hit Go or Enter
Save the zipped file to your desktop and UNZIP the contents to your desktop
We'll need these later, don't run them yet
Could you also Create a New folder on your desktop, call it Aboutbuster
Right click an empty spot on the desktop, Select NEW>>FOLDER
Download to desktop About:Buster (http://\"http://www.malwarebytes.biz/AboutBuster.zip\")
by RubbeR Ducky
Unzip it to that new folder
Open About:Buster.exe and check for updates, after updating could you just close it out for now
Can you please print the rest of this out or save it to a Notepad file on your desktop for easy access
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Restart your computer into SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039\")
Go to START>>>RUN>>>type in services.msc
and hit Enter or OK
In the next window, look on the right hand side for this service
name---- Network Security Service <--exact service name
Double click on it---If you find it and if not already set to disabled-- STOP the service--
In the drop down menu, change the startup type to Disabled
Do the same thing for
ZESOFT
Stay in safe mode and access your task manager
Right click the bottom task bar and select Task Manager
End process on these if still running
sysxs.exe
sysac.exe
Find and delete these files or folder if they exist
FILES
C:\WINDOWS\sysac.exe <--this file
C:\WINDOWS\system32\sysxs.exe
C:\WINDOWS\system32\apptf32.dll
C:\WINDOWS\zeta.exe
C:\WINDOWS\winun32.exe
FOLDER
C:\Program Files\Common Files\tsa <--this folder
Again, in safe mode
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\nyoez.dll/sp.html#28129
O2 - BHO: (no name) - {5C12F704-431A-97DB-D01E-19248DFCBC19} - C:\WINDOWS\system32\apptf32.dll
O4 - HKLM\..\Run: [sysxs.exe] C:\WINDOWS\system32\sysxs.exe
O4 - HKLM\..\RunOnce: [sysac.exe] C:\WINDOWS\sysac.exe
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\winun32.exe (file missing)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
Navigate to About:Buster
Start About:Buster and hit ok. Now for the scanning part. Hit Start and then Ok. The program should start scanning.Scan a Second time. Save the log--- Then hit exit
Right-click on DelDomains.inf and select: Install
This will remove all entries in the "Trusted Zone" and "Ranges"
Double click on cwsserviceremove.reg and Allow it to merge to the Registry
Double click on zesoft.reg Again, allow to merge
Restart back to Normal mode
Ensure your running the latest version of Ad-Aware>>The latest is Ad-Aware SE 1.05
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Ensure you have the latest of Spybot
SEARCH FOR UPDATES button, Check and download all updates
Click the "Search and Destroy" Button
In the right window, click the
Check for Problems Let it complete it's scanning---Ensure to check and FIX Checked Problems--everything in RED---they should be checked by default
Restart your computer again to finish the cleaning process
Open Hijackthis>>Open Misc Tools Section>>Open Host file manager
If it prompts you to create a new Hosts file--allow it
Search for these files on your computer and let me know if you can find them
There not bad, but may need to be replaced
SDHelper.dll - If you have Spybot Search & Destroy installed download a new SDHelper.dll from HERE (http://\"http://www.spywareinfo.com/~merijn/winfiles.html#shell\") and unzip it to the default Spybot folder.
* The normal path is C:\Program Files\Spybot - Search & Destroy.
You can check if this feature is enabled,
Open Spybot>>Click Mode>>Advanced Mode>>
Click Tools>>RESIDENT>>Put a check in Resident SDHELPER
Look in your system32 folder for shell.dll
If it is not there, Go into System32\dllcache folder
Find shell.dll
Right click on shell.dll and choose copy from the menu. Then paste it into the
system32 folder
Check ActiveX security settings:
* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled) or prompt
o Script ActiveX controls marked safe for scripting (Prompt)
It's always a good idea after this particular infection to
run an Online Virus scan at Trend Micro's (http://\"http://housecall.trendmicro.com/\")---Set to Autclean
Post back a fresh hijackthis log and let me know how everythings running
Could you also post back the About:Buster logs, thanks
Post by: Andyboy on January 09, 2005, 06:42:35 PM
Brilliant, thank you.
Few points...
I could not find the following files/folders to delete....
FILES
C:\WINDOWS\system32\sysxs.exe
C:\WINDOWS\system32\apptf32.dll
C:\WINDOWS\zeta.exe
C:\WINDOWS\winun32.exe
FOLDER
C:\Program Files\Common Files\tsa <--this folder
And, in the HJK scan, I didn't find
O2 - BHO: (no name) - {5C12F704-431A-97DB-D01E-19248DFCBC19} - C:\WINDOWS\system32\apptf32.dll
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
And finally, the zesoft registry merge would not proceed, due to the "specified file is not rehistry script"
Any way, all else has gone ok so far.
Below is the HJT log file and below that the about:buster flog file.
Anything else need to be done? Oh' I'm just sorting out the micro trend scan, but I haven't finished downloading required application etc yet.
Thanks for the help so far, you guys are amazing.
Logfile of HijackThis v1.99.0
Scan saved at 22:28:32, on 09/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Envy24\EnMixCPL.exe
C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\Office keyboard utility\1.2\MMKEYB.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Office keyboard utility\1.2\TrayMon.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Office keyboard utility\1.2\osd.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Winamp\Winamp.exe
C:\hijackthis\HijackThis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {649DE2FA-69DB-9E46-A672-0E8D3E4D18A3} - C:\WINDOWS\system32\ipfm.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Scanned at: 18:25:30 on: 09/01/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 22
Removed Data Streams:
C:\WINDOWS\desktop.ini:vliob
C:\WINDOWS\hicik.dat:yndlr
C:\WINDOWS\KB835732.log:cephb
C:\WINDOWS\KB841356.log:zxbfi
C:\WINDOWS\KB841533.log:ufand
C:\WINDOWS\KB873376.log:nftax
C:\WINDOWS\REGLOCS.OLD:izljj
C:\WINDOWS\setuplog.txt:qsedz
C:\WINDOWS\SIS_LIB.DLL:kjydl
C:\WINDOWS\Soap Bubbles.bmp:drcpn
C:\WINDOWS\svcpack.log:vsvch
C:\WINDOWS\ucatj.dll:gljhn
C:\WINDOWS\vbaddin.ini:ymcmq
C:\WINDOWS\wiaservc.log:qnurk
C:\WINDOWS\winamp.ini:vecvr
Removed 4 Random Key Entries
Removed! : C:\WINDOWS\eaeyb.dat
Removed! : C:\WINDOWS\hicik.dat
Removed! : C:\WINDOWS\mmnvi.dat
Removed! : C:\WINDOWS\system32\aixrc.dat
Removed! : C:\WINDOWS\system32\gnuwz.dat
Removed! : C:\WINDOWS\system32\qrysp.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 22
Removed Data Streams:
C:\WINDOWS\desktop.ini:vliob
C:\WINDOWS\hicik.dat:yndlr
C:\WINDOWS\KB835732.log:cephb
C:\WINDOWS\KB841356.log:zxbfi
C:\WINDOWS\KB841533.log:ufand
C:\WINDOWS\KB873376.log:nftax
C:\WINDOWS\REGLOCS.OLD:izljj
C:\WINDOWS\setuplog.txt:qsedz
C:\WINDOWS\SIS_LIB.DLL:kjydl
C:\WINDOWS\Soap Bubbles.bmp:drcpn
C:\WINDOWS\svcpack.log:vsvch
C:\WINDOWS\ucatj.dll:gljhn
C:\WINDOWS\vbaddin.ini:ymcmq
C:\WINDOWS\wiaservc.log:qnurk
C:\WINDOWS\winamp.ini:vecvr
Attempted Clean Of Temp folder.
Pages Reset... Done!
Post by: guestolo on January 09, 2005, 07:21:16 PM
Try this
Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as zesoft.reg
Save it on the desktop
Quote
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ZESOFT][-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ZESOFT]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ZESOFT]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ZESOFT]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ZESOFT]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\ZESOFT]
Double click on zesoft.reg and allow to merge
Do another scan with Hijackthis and put a check next to these entries:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {649DE2FA-69DB-9E46-A672-0E8D3E4D18A3} - C:\WINDOWS\system32\ipfm.dll (file missing)
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis
RESTART your computer
When your back in Windows can you run a couple more scans with About:Buster
Post the log from it
Also---Where ever you unzipped ServiceFilter too
Open the folder
Inside the folder will be another called "OnlyOnRequest"
Open that folder and copy and paste back the results from
"Services.txt"
Also post back a fresh hijackthis log
Post by: Andyboy on January 11, 2005, 04:21:58 PM
zesoft.reg merge done successfully.
About:buster log as follows;
Scanned at: 19:56:02 on: 11/01/2005
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 22
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 22
No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!
Looks good right (?)
ServiceFilter 'only on request' log looks like this;
###################################################
Please do not post the contents of this document
unless the person helping you specifically requests
to see Services.txt
Thank You
###################################################
ServiceFilter 1.1
by rand1038
Service Name: Alerter
Display Name: Alerter
Start Mode: Disabled
Start Name: NT AUTHORITY\LocalService
Description: Notifies selected users and computers of administrative alerts. If the service is stopped, ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k localservice
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: ALG
Display Name: Application Layer Gateway Service
Start Mode: Manual
Start Name: NT AUTHORITY\LocalService
Description: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows ...
Service Type: Own Process
Path: c:\windows\system32\alg.exe
State: Running
Process ID: 3128
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: AppMgmt
Display Name: Application Management
Start Mode: Manual
Start Name: LocalSystem
Description: Provides software installation services such as Assign, Publish, and ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: aspnet_state
Display Name: ASP.NET State Service
Start Mode: Manual
Start Name: NT AUTHORITY\NetworkService
Description: Provides support for out-of-process session states for ASP.NET. If this service is stopped, ...
Service Type: Own Process
Path: c:\windows\microsoft.net\framework\v1.1.4322\aspnet_state.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: AudioSrv
Display Name: Windows Audio
Start Mode: Auto
Start Name: LocalSystem
Description: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: BITS
Display Name: Background Intelligent Transfer Service
Start Mode: Manual
Start Name: LocalSystem
Description: Transfers files in the background using idle network bandwidth. If the service is stopped, ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: Browser
Display Name: Computer Browser
Start Mode: Auto
Start Name: LocalSystem
Description: Maintains an updated list of computers on the network and supplies this list to computers ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False
Service Name: ccEvtMgr
Display Name: Symantec Event Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Symantec Event ...
Service Type: Own Process
Path: c:\program files\common files\symantec shared\ccevtmgr.exe
State: Running
Process ID: 576
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: ccPwdSvc
Display Name: Symantec Password Validation Service
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\common files\symantec shared\ccpwdsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False
Service Name: cisvc
Display Name: Indexing Service
Start Mode: Manual
Start Name: LocalSystem
Description: Indexes contents and properties of files on local and remote computers; provides rapid access to ...
Service Type: Share Process
Path: c:\windows\system32\cisvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: ClipSrv
Display Name: ClipBook
Start Mode: Disabled
Start Name: LocalSystem
Description: Enables ClipBook Viewer to store information and share it with remote computers. If the service is ...
Service Type: Own Process
Path: c:\windows\system32\clipsrv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: COMSysApp
Display Name: COM+ System Application
Start Mode: Manual
Start Name: LocalSystem
Description: Manages the configuration and tracking of Component Object Model (COM)+-based components. If the ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{02d4b3f1-fd88-11d1-960d-00805fc79235}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: CryptSvc
Display Name: Cryptographic Services
Start Mode: Auto
Start Name: LocalSystem
Description: Provides three management services: Catalog Database Service, which confirms the signatures of ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: DcomLaunch
Display Name: DCOM Server Process Launcher
Start Mode: Auto
Start Name: LocalSystem
Description: Provides launch functionality for DCOM ...
Service Type: Share Process
Path: c:\windows\system32\svchost -k dcomlaunch
State: Running
Process ID: 920
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False
Service Name: Dhcp
Display Name: DHCP Client
Start Mode: Auto
Start Name: LocalSystem
Description: Manages network configuration by registering and updating IP addresses and DNS ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: dmadmin
Display Name: Logical Disk Manager Administrative Service
Start Mode: Manual
Start Name: LocalSystem
Description: Configures hard disk drives and volumes. The service only runs for configuration processes and ...
Service Type: Share Process
Path: c:\windows\system32\dmadmin.exe /com
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: dmserver
Display Name: Logical Disk Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Detects and monitors new hard disk drives and sends disk volume information to Logical Disk ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: Dnscache
Display Name: DNS Client
Start Mode: Auto
Start Name: NT AUTHORITY\NetworkService
Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k networkservice
State: Running
Process ID: 1164
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: ERSvc
Display Name: Error Reporting Service
Start Mode: Auto
Start Name: LocalSystem
Description: Allows error reporting for services and applictions running in non-standard ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: Eventlog
Display Name: Event Log
Start Mode: Auto
Start Name: LocalSystem
Description: Enables event log messages issued by Windows-based programs and components to be viewed in Event ...
Service Type: Share Process
Path: c:\windows\system32\services.exe
State: Running
Process ID: 756
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False
Service Name: EventSystem
Display Name: COM+ Event System
Start Mode: Manual
Start Name: LocalSystem
Description: Supports System Event Notification Service (SENS), which provides automatic distribution of events ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: FastUserSwitchingCompatibility
Display Name: Fast User Switching Compatibility
Start Mode: Manual
Start Name: LocalSystem
Description: Provides management for applications that require assistance in a multiple user ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: helpsvc
Display Name: Help and Support
Start Mode: Auto
Start Name: LocalSystem
Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: HidServ
Display Name: Human Interface Device Access
Start Mode: Disabled
Start Name: LocalSystem
Description: Enables generic input access to Human Interface Devices (HID), which activates and maintains the ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: HTTPFilter
Display Name: HTTP SSL
Start Mode: Manual
Start Name: LocalSystem
Description: This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k httpfilter
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: ImapiService
Display Name: IMAPI CD-Burning COM Service
Start Mode: Manual
Start Name: LocalSystem
Description: Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this ...
Service Type: Own Process
Path: c:\windows\system32\imapi.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False
Service Name: lanmanserver
Display Name: Server
Start Mode: Auto
Start Name: LocalSystem
Description: Supports file, print, and named-pipe sharing over the network for this computer. If this service ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True
Service Name: lanmanworkstation
Display Name: Workstation
Start Mode: Auto
Start Name: LocalSystem
Description: Creates and maintains client network connections to remote servers. If this service is stopped, ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True
Service Name: LmHosts
Display Name: TCP/IP NetBIOS Helper
Start Mode: Auto
Start Name: NT AUTHORITY\LocalService
Description: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k localservice
State: Running
Process ID: 1212
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: Messenger
Display Name: Messenger
Start Mode: Disabled
Start Name: LocalSystem
Description: Transmits net send and Alerter service messages between clients and servers. This service is not ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: mnmsrvc
Display Name: NetMeeting Remote Desktop Sharing
Start Mode: Manual
Start Name: LocalSystem
Description: Enables an authorized user to access this computer remotely by using NetMeeting over a corporate ...
Service Type: Own Process
Path: c:\windows\system32\mnmsrvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: MSDTC
Display Name: Distributed Transaction Coordinator
Start Mode: Manual
Start Name: NT AUTHORITY\NetworkService
Description: Coordinates transactions that span multiple resource managers, such as databases, message queues, ...
Service Type: Own Process
Path: c:\windows\system32\msdtc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: MSIServer
Display Name: Windows Installer
Start Mode: Manual
Start Name: LocalSystem
Description: Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this ...
Service Type: Share Process
Path: c:\windows\system32\msiexec.exe /v
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: navapsvc
Display Name: Norton AntiVirus Auto Protect Service
Start Mode: Auto
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect ...
Service Type: Own Process
Path: c:\program files\norton antivirus\navapsvc.exe
State: Running
Process ID: 664
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: NetDDE
Display Name: Network DDE
Start Mode: Disabled
Start Name: LocalSystem
Description: Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on ...
Service Type: Share Process
Path: c:\windows\system32\netdde.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: NetDDEdsdm
Display Name: Network DDE DSDM
Start Mode: Disabled
Start Name: LocalSystem
Description: Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares ...
Service Type: Share Process
Path: c:\windows\system32\netdde.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: Netlogon
Display Name: Net Logon
Start Mode: Manual
Start Name: LocalSystem
Description: Supports pass-through authentication of account logon events for computers in a ...
Service Type: Share Process
Path: c:\windows\system32\lsass.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: Netman
Display Name: Network Connections
Start Mode: Manual
Start Name: LocalSystem
Description: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: nhksrv
Display Name: Netropa NHK Server
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\office keyboard utility\1.2\nhksrv.exe
State: Running
Process ID: 520
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True
Service Name: Nla
Display Name: Network Location Awareness (NLA)
Start Mode: Manual
Start Name: LocalSystem
Description: Collects and stores network configuration and location information, and notifies applications when ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: NProtectService
Display Name: Norton Unerase Protection
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\norton antivirus\advtools\nprotect.exe
State: Running
Process ID: 804
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: NtLmSsp
Display Name: NT LM Security Support Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Provides security to remote procedure call (RPC) programs that use transports other than named ...
Service Type: Share Process
Path: c:\windows\system32\lsass.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: NtmsSvc
Display Name: Removable Storage
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: ose
Display Name: Office Source Engine
Start Mode: Manual
Start Name: LocalSystem
Description: Saves installation files used for updates and repairs and is required for the downloading of Setup ...
Service Type: Own Process
Path: c:\program files\common files\microsoft shared\source engine\ose.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: PlugPlay
Display Name: Plug and Play
Start Mode: Auto
Start Name: LocalSystem
Description: Enables a computer to recognize and adapt to hardware changes with little or no user input. ...
Service Type: Share Process
Path: c:\windows\system32\services.exe
State: Running
Process ID: 756
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False
Service Name: Pml Driver HPZ12
Display Name: Pml Driver HPZ12
Start Mode: Manual
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\windows\system32\hpzipm12.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False
Service Name: PolicyAgent
Display Name: IPSEC Services
Start Mode: Auto
Start Name: LocalSystem
Description: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security ...
Service Type: Share Process
Path: c:\windows\system32\lsass.exe
State: Running
Process ID: 768
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: ProtectedStorage
Display Name: Protected Storage
Start Mode: Auto
Start Name: LocalSystem
Description: Provides protected storage for sensitive data, such as private keys, to prevent access by ...
Service Type: Share Process
Path: c:\windows\system32\lsass.exe
State: Running
Process ID: 768
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: RasAuto
Display Name: Remote Access Auto Connection Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: RasMan
Display Name: Remote Access Connection Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Creates a network ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: RDSessMgr
Display Name: Remote Desktop Help Session Manager
Start Mode: Manual
Start Name: LocalSystem
Description: Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be ...
Service Type: Own Process
Path: c:\windows\system32\sessmgr.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: RemoteAccess
Display Name: Routing and Remote Access
Start Mode: Disabled
Start Name: LocalSystem
Description: Offers routing services to businesses in local area and wide area network ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: RemoteRegistry
Display Name: Remote Registry
Start Mode: Auto
Start Name: NT AUTHORITY\LocalService
Description: Enables remote users to modify registry settings on this computer. If this service is stopped, the ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k localservice
State: Running
Process ID: 1212
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: RpcLocator
Display Name: Remote Procedure Call (RPC) Locator
Start Mode: Manual
Start Name: NT AUTHORITY\NetworkService
Description: Manages the RPC name service ...
Service Type: Own Process
Path: c:\windows\system32\locator.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: RpcSs
Display Name: Remote Procedure Call (RPC)
Start Mode: Auto
Start Name: NT Authority\NetworkService
Description: Provides the endpoint mapper and other miscellaneous RPC ...
Service Type: Share Process
Path: c:\windows\system32\svchost -k rpcss
State: Running
Process ID: 980
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False
Service Name: RSVP
Display Name: QoS RSVP
Start Mode: Manual
Start Name: LocalSystem
Description: Provides network signaling and local traffic control setup functionality for QoS-aware programs ...
Service Type: Own Process
Path: c:\windows\system32\rsvp.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: SamSs
Display Name: Security Accounts Manager
Start Mode: Auto
Start Name: LocalSystem
Description: Stores security information for local user ...
Service Type: Share Process
Path: c:\windows\system32\lsass.exe
State: Running
Process ID: 768
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False
Service Name: SBService
Display Name: ScriptBlocking Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\progra~1\common~1\symant~1\script~1\sbserv.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 0
Accept Pause: False
Accept Stop: False
Service Name: SCardSvr
Display Name: Smart Card
Start Mode: Manual
Start Name: NT AUTHORITY\LocalService
Description: Manages access to smart cards read by this computer. If this service is stopped, this computer ...
Service Type: Share Process
Path: c:\windows\system32\scardsvr.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: Schedule
Display Name: Task Scheduler
Start Mode: Auto
Start Name: LocalSystem
Description: Enables a user to configure and schedule automated tasks on this computer. If this service is ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True
Service Name: seclogon
Display Name: Secondary Logon
Start Mode: Auto
Start Name: LocalSystem
Description: Enables starting processes under alternate credentials. If this service is stopped, this type of ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True
Service Name: SENS
Display Name: System Event Notification
Start Mode: Auto
Start Name: LocalSystem
Description: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: SharedAccess
Display Name: Windows Firewall/Internet Connection Sharing (ICS)
Start Mode: Auto
Start Name: LocalSystem
Description: Provides network address translation, addressing, name resolution and/or intrusion prevention ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: ShellHWDetection
Display Name: Shell Hardware Detection
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: True
Accept Stop: True
Service Name: Spooler
Display Name: Print Spooler
Start Mode: Auto
Start Name: LocalSystem
Description: Loads files to memory for later ...
Service Type: Own Process
Path: c:\windows\system32\spoolsv.exe
State: Running
Process ID: 1592
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: srservice
Display Name: System Restore Service
Start Mode: Auto
Start Name: LocalSystem
Description: Performs system restore functions. To stop service, turn off System Restore from the System ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k netsvcs
State: Running
Process ID: 1120
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: SSDPSRV
Display Name: SSDP Discovery Service
Start Mode: Manual
Start Name: NT AUTHORITY\LocalService
Description: Enables discovery of UPnP devices on your home ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k localservice
State: Running
Process ID: 1212
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: stisvc
Display Name: Windows Image Acquisition (WIA)
Start Mode: Auto
Start Name: LocalSystem
Description: Provides image acquisition services for scanners and ...
Service Type: Share Process
Path: c:\windows\system32\svchost.exe -k imgsvc
State: Running
Process ID: 1372
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{a0f87d39-9d38-4c7f-94d8-266c050b199f}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
Service Name: SysmonLog
Display Name: Performance Logs and Alerts
Start Mode: Manual
Start Name: NT Authority\NetworkService
Description: Collects performance data from local or remote computers based on preconfigured schedule ...
Service Type: Own Process
Path: c:\windows\system32\smlogsvc.exe
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False
And finally, the HJT log looks like this;
Logfile of HijackThis v1.99.0
Scan saved at 20:06:24, on 11/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Envy24\EnMixCPL.exe
C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Belkin Corporation\Belkin Wireless Network Monitor Utility and Driver\RtlWake.exe
C:\Program Files\Office keyboard utility\1.2\MMKEYB.EXE
C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Office keyboard utility\1.2\TrayMon.exe
C:\Program Files\Office keyboard utility\1.2\osd.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [EnvyHFCPL] C:\Program Files\Envy24\EnMixCPL.exe
O4 - HKLM\..\Run: [FLMOFFICEKEYBOARD] C:\Program Files\Office keyboard utility\1.2\OFFICEKB.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: RtlWake.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab (http://\"http://messenger.msn.com/download/msnmessengersetupdownloader.cab\")
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\Program Files\Office keyboard utility\1.2\nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Woah, a lot of info there.
All visable symptons have stopped at my end, is the machine clear?
Thanks for your help with this, what the best way to show some appreciation round here?
Cheers
Andyboy
Post by: guestolo on January 11, 2005, 08:41:20 PM
Appreciation, keep safe
/wink.gif\' class=\'bbc_emoticon\' alt=\';)\' /> You should set up extra protection against future attacks
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
I see you use Firefox, good move
It's a lot safer browser
For the times that you do need Internet Explorer, you may want to look into this free utility
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link==Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
Scroll down and click on IE-SPYAD.EXE Free! or IE-SPYAD2.EXE Free!
Regular IE-Spyad for the individual user or IE-Spyad 2 for global protection(All users) on your computer
You only need one or the other
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
Take care
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' /> By the way, If everything is running smooth now you should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
Here's a link, just in case your unsure how to
http://vil.nai.com/vil/SystemHelpDocs/Disa...eSysRestore.htm (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Locking this topic, anyone with similiar problems
Please start your own post in this forum, include a Hijackthis log