Post by: happyeaglesfan on May 23, 2005, 12:43:17 PM
/dry.gif\' class=\'bbc_emoticon\' alt=\'<_<\' /> I have this smart Security desktop ad on my computer and have been trying to remove it. Antispyware, and other have been run. I tried trendmicro free online scan. I am unable to get rid of it. I do not want to reinstall windows. Is there anything that can get rid of it. Any Options. or other who have the problem.Thanks for time
G>R
Post by: guestolo on May 23, 2005, 01:13:50 PM
Can you follow This POST (http://\"http://www.thetechguide.com/forum/index.php?showtopic=14623\")
And download and post a hijackthis log to this thread
Thanks
Post by: happyeaglesfan on May 23, 2005, 01:18:48 PM
Just leaving work. The computer with the problem is at home. I do know how to do Hijackthis. I will post it tonight. About 9 pm Est. Will that be okay. I have seen you helped others with this same problem. I have tried to follow it but not very successful. Sorry that I have to go home to finish this. I really am thankful for your help.
Thanks
GR
Post by: guestolo on May 23, 2005, 01:43:25 PM
Thanks
That link to How to post a hijackthis will help you post a log
Make sure you save Hijackthis too a permanent folder
Post by: happyeaglesfan on May 24, 2005, 08:13:59 PM
Here is my Hijackthis log file. Sorry I did not get it out yesterday. Had some other problems to tend with. Right now I am only able to access the internet in safe mode. Does this cause a problem for the log file?
Thanks for your help
Logfile of HijackThis v1.99.1
Scan saved at 9:11:41 PM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.net (http://\"http://www.gateway.net\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/ (http://\"http://www.gateway.net/\")
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [eQ0HTkUx] C:\PROGRA~1\vspvwwqw\ecgCAsBN.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing)
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156 (HKLM)
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab (http://\"http://messenger.yahoo.com/maintenance/patch.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
Post by: guestolo on May 24, 2005, 08:31:20 PM
===Download and save to deskop or a folder
DelDomains.inf
http://www.mvps.org/winhelp2002/DelDomains.inf (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\")
We'll need this later>>If using a Mozilla browser, right click on that link and SAVE Link As
==Download and then Install
Ewido Trojan Scanner (http://\"http://download.ewido.net/ewido-setup.exe\")
When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Alternate Download link (http://\"http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe\")
We'll need this later
==Download and UNZIP to a folder or desktop
Fixdesktop.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=219\")
So you now have Fixdesktop.reg extracted
==Download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\"). [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder
Please Print this out or save these instructions to a Notepad file and save it to your Desktop or a folder
Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:
Security IGuard
Virtual Maid
Search Maid
Exit Add/Remove Programs.
Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK
[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]
* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
[color=\"purple\"]Killbox file paths to copy and paste to Notepad between dotted lines[/color]
===========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\ole32vbs.exe
C:\WINNT\Web\desktop.html
C:\PROGRA~1\vspvwwqw\ecgCAsBN.exe
===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
When Restarting, please Restart back to SAFE MODE
*Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
In SAFE MODE
Using Windows Explorer, Manually navigate and delete these folders if found
C:\Program Files\Search Maid
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\Program Files\vspvwwqw
C:\WINNT\System32\Log Files
*Double Click on Fixdesktop.reg and allow to merge to the registry
==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done
==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report
Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what exists
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm
O4 - HKLM\..\Run: [eQ0HTkUx] C:\PROGRA~1\vspvwwqw\ecgCAsBN.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing)
O15 - Trusted Zone: *.horse-active.net (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 64.62.171.156 (HKLM)
After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
RESTART back to Normal mode
Back in Windows
If prompted by Microsoft Anti-Spyware about any changes, ALLOW them so it won't interfere with any fixes we are try to do
Do another scan with Hijackthis and post a fresh log
Also post the report from Ewidos
Post by: guestolo on May 24, 2005, 08:33:15 PM
OK, go ahead, just had to make a few changes
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Post by: happyeaglesfan on May 24, 2005, 09:25:59 PM
C:\Program Files\Search Maid
C:\Program Files\Security IGuard
C:\Program Files\Virtual Maid
C:\Program Files\vspvwwqw
C:\WINNT\System32\Log Files
As soon as I get the hijackthis log fixed I will post it.
thank you
Post by: happyeaglesfan on May 24, 2005, 09:59:27 PM
Scan saved at 10:56:37 PM, on 5/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [eQ0HTkUx] C:\PROGRA~1\vspvwwqw\ecgCAsBN.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted IP range: 64.62.171.156
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab (http://\"http://messenger.yahoo.com/maintenance/patch.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
Scan Report---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 10:46:08 PM, 5/24/2005
+ Report-Checksum: B2C0837A
+ Date of database: 5/25/2005
+ Version of scan engine: v3.0
+ Duration: 28 min
+ Scanned Files: 69719
+ Speed: 40.41 Files/Second
+ Infected files: 123
+ Removed files: 119
+ Files put in quarantine: 119
+ Files that could not be opened: 0
+ Files that could not be cleaned: 4
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
+ Scan result:
C:\!Submit\ecgCAsBN.exe -> Spyware.CommonName.i -> Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay.j -> Cleaned with backup
C:\Program Files\vspvwwqw\cnml.exe -> Spyware.CommonName.l -> Error during cleaning
C:\Program Files\vspvwwqw\ecgCAsBN.dll -> Spyware.CommonName.g -> Cleaned with backup
C:\Program Files\vspvwwqw\GQgCF8BN.dll -> Spyware.CommonName.g -> Error during cleaning
C:\Program Files\vspvwwqw\GQgCF8BN.exe -> Spyware.CommonName.i -> Error during cleaning
C:\Program Files\vspvwwqw\NB8FCgQG.exe -> Spyware.CommonName.g -> Error during cleaning
C:\Program Files\vspvwwqw\NBsACgce.exe -> Spyware.CommonName.g -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP123\A0027216.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP123\A0027217.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP139\A0033772.exe -> Spyware.Small.ed -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP139\A0033775.exe -> Spyware.CommonName.i -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP42\A0009930.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0010722.srg -> Spyware.Exact -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0010724.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0010725.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011725.srg -> Spyware.Exact -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011727.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011728.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011736.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/exdl.exe -> Spyware.Exact -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/mqexdlm.srg -> Spyware.Exact -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011739.vxd/C:/WINNT/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011763.dll -> Spyware.Relevance.b -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011768.exe -> Spyware.WinAD.k -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011771.exe -> Spyware.CommonName.g -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011772.exe -> Spyware.CommonName.i -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP45\A0011773.dll -> Spyware.BabeIE -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP58\A0015933.dll -> Trojan.TopAntiSpyware.h -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP58\A0015935.dll -> Trojan.TopAntiSpyware.h -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP58\A0015937.exe -> TrojanDropper.Small.oy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP58\A0015977.sys -> Backdoor.Haxdoor.az -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP58\A0015978.sys -> Backdoor.Haxdoor.az -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP59\A0016044.dll -> Spyware.PurityScan.ak -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP65\A0016098.exe -> Trojan.Agent.cl -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP65\A0016099.dll -> Trojan.Agent.cl -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016220.exe -> Spyware.Small.dm -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016221.exe -> Spyware.Small.dm -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016223.exe -> Spyware.Small.dm -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016241.exe -> Spyware.CommonName.g -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016242.exe -> Spyware.CommonName.i -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016243.dll -> Spyware.CommonName.g -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016246.exe -> Spyware.CommonName.g -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016247.exe -> Spyware.CommonName.i -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016248.dll -> Spyware.CommonName.g -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016250.exe -> Spyware.CommonName.g -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016251.exe -> Spyware.CommonName.i -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016252.dll -> Spyware.CommonName.g -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016360.dll -> Trojan.Agent.cl -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP67\A0016362.exe -> Trojan.Agent.cl -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP74\A0017389.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP74\A0017394.exe -> Spyware.PurityScan.at -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018430.dll -> Spyware.Toolbar -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018431.dll -> Spyware.WebSearch.ae -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/exdl.exe -> Spyware.BargianBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/mqexdlm.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018440.vxd/C:/WINNT/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018444.exe -> Spyware.PurityScan.bf -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018445.dll -> Spyware.PurityScan.ak -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018453.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018478.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018479.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018481.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018515.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP75\A0018517.exe -> Spyware.PurityScan.at -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP81\A0019579.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP81\A0019580.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/exdl.exe -> Spyware.BargianBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/mqexdlm.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019621.vxd/C:/WINNT/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019623.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP82\A0019626.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP83\A0020279.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP83\A0020579.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021628.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/exdl.exe -> Spyware.BargianBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/mqexdlm.srg -> Spyware.BargianBuddy.n -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/exul.exe -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/javexulm.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/msexreg.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/instsrv.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021631.vxd/C:/WINNT/System32/exclean.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021634.exe -> Spyware.BargainBuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP84\A0021636.vxd -> Spyware.BargainBuddy.q -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP85\A0021675.exe -> Spyware.PurityScan.w -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP85\A0021676.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP90\A0024101.dll -> Spyware.PurityScan.ak -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP90\A0024102.exe -> Spyware.PurityScan.bf -> Cleaned with backup
C:\System Volume Information\_restore{0193FC1C-0A70-478B-8107-B531B8E70CAB}\RP91\A0024307.EXE -> Spyware.PurityScan.bf -> Cleaned with backup
C:\WINNT\Akh.html -> Spyware.Spywad.b -> Cleaned with backup
C:\WINNT\Bae.html -> Spyware.Spywad.b -> Cleaned with backup
C:\WINNT\Dcf.html -> Spyware.Spywad.b -> Cleaned with backup
C:\WINNT\dd.exe -> Trojan.Agent.cl -> Cleaned with backup
C:\WINNT\Gfu.html -> Spyware.Spywad.b -> Cleaned with backup
C:\WINNT\Hbl.html -> Spyware.Spywad.b -> Cleaned with backup
C:\WINNT\NDNuninstall5_64.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINNT\NDNuninstall6_10.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINNT\NDNuninstall6_22.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINNT\NDNuninstall6_30.exe -> Spyware.NewDotNet -> Cleaned with backup
C:\WINNT\Pne.html -> Spyware.Spywad.b -> Cleaned with backup
C:\WINNT\Qjc.html -> Spyware.Spywad.b -> Cleaned with backup
C:\WINNT\Sia.html -> Spyware.Spywad.b -> Cleaned with backup
C:\WINNT\Sts.html -> Spyware.Spywad.b -> Cleaned with backup
C:\WINNT\system32\563984.exe -> Spyware.Small.dm -> Cleaned with backup
C:\WINNT\system32\bbchk.exe -> Spyware.Bargainbuddy -> Cleaned with backup
C:\WINNT\Tsu.html -> Spyware.Spywad.b -> Cleaned with backup
C:\WINNT\Vnl.html -> Spyware.Spywad.b -> Cleaned with backup
::Report End
Post by: guestolo on May 25, 2005, 12:49:54 AM
DISABLE Microsofts Anti-Spyware realtime protection
It seems to be interfering with our fixes
Ensure you have Killbox and
DelDomains.inf
Please Print this out or save too a notepad file on the desktop
Close down all browser windows, including this one
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\blank.htm
O4 - HKLM\..\Run: [eQ0HTkUx] C:\PROGRA~1\vspvwwqw\ecgCAsBN.exe
O9 - Extra button: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {0FE0390C-914A-40C3-AB9D-8436091359D7} - C:\WINNT\System32\wldr.dll (file missing) (HKCU) <This is not related to Microsoft's Anti-Spyware software
It's a nasty
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.horse-active.net
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted IP range: 64.62.171.156
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK
[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]
* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".
* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C
[color=\"purple\"]Killbox file paths to copy and paste to Notepad between dotted lines[/color]
===========================================
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\ole32vbs.exe
C:\Program Files\vspvwwqw\cnml.exe
C:\Program Files\vspvwwqw\GQgCF8BN.dll
C:\Program Files\vspvwwqw\GQgCF8BN.exe
C:\Program Files\vspvwwqw\NB8FCgQG.exe
===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Back in Windows
Don't open a Browser yet
Delete this folder
C:\Program Files\vspvwwqw <-this folder
==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries
Run another scan with Hijackthis and post a fresh log
Post by: happyeaglesfan on May 25, 2005, 09:39:57 AM
Post by: happyeaglesfan on May 25, 2005, 12:23:20 PM
Post by: happyeaglesfan on May 25, 2005, 12:31:34 PM
Logfile of HijackThis v1.99.1
Scan saved at 1:27:45 PM, on 5/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab (http://\"http://messenger.yahoo.com/maintenance/patch.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4BB975F-B6D3-421B-B9DA-D5B1C9040133}: NameServer = 204.186.0.201,204.186.0.203
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
Thanks again for your help.
Happyeaglesfan
Post by: happyeaglesfan on May 25, 2005, 07:20:04 PM
Post by: guestolo on May 25, 2005, 07:35:02 PM
Post by: happyeaglesfan on May 26, 2005, 06:02:06 AM
Okay. I was able to delete the folder C:\Program Files\vspvwwqw I had to move it and then delete it. It was the only way to get rid of it. I then Ran a new Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 1:27:45 PM, on 5/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab (http://\"http://messenger.yahoo.com/maintenance/patch.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4BB975F-B6D3-421B-B9DA-D5B1C9040133}: NameServer = 204.186.0.201,204.186.0.203
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
Happyeaglesfan
Post by: happyeaglesfan on May 26, 2005, 06:29:48 PM
Still have the smart Security on the desktop. I have done everything in your last post. Will Post a new Hijackthis log shortly. Having trouble doing updates for some software. Please help...
Happyeaglesfan
Post by: guestolo on May 26, 2005, 06:34:53 PM
Can you do the following please
Download and UNZIP to desktop or a folder Get2.zip
So you now have Get2.bat extracted
Double click on Get2.bat and a text file will appear on the desktop or folder
Called Export2.txt
Can you copy and paste the contents back here with a fresh Hijackthis log
Post by: happyeaglesfan on May 26, 2005, 08:06:07 PM
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
Logfile of HijackThis v1.99.1
Scan saved at 9:02:38 PM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/ (http://\"http://www.gateway.net/\")
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab (http://\"http://messenger.yahoo.com/maintenance/patch.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
Post by: guestolo on May 26, 2005, 08:16:45 PM
You appear to have gave me a log from hijackthis from safe mode
Make sure you have fixdesktop.reg unzipped
Double click on it and allow to merge to the registry
RESTART the computer
Make sure you restart into Normal mode
Can you now do the following
Do the following
1. Open the Control Panel.
2. Open Display Properties.
3. Click the Desktop tab.
4. Change your background>>You can change it back later if preferred
5. Click the Customize Desktop button.
6. Click the Web tab in the Desktop Items window.
7. Uncheck "Security" or Make sure all checkboxes in this window are un-checked.
OK your way out
Log off your user account and log back on again if anything unchecked
Back in Windows
Run another scan with hijackthis in Normal mode and show me a fresh log
Could you also
Download and UNZIP to desktop or a folder
Files.zip
Open the folder you extracted and double click on Find.bat
Let this run, it will produce a log
Post the contents back here with the fresh hijackthis log
Post by: happyeaglesfan on May 26, 2005, 08:30:20 PM
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 9:25:18 PM, on 5/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\hijackthis.exe
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab (http://\"http://messenger.yahoo.com/maintenance/patch.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B89EE32-C3B8-4BD5-8A28-F73CA9183D4F}: NameServer = 151.204.0.85 151.201.0.38
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
Post by: guestolo on May 26, 2005, 08:36:33 PM
Was there an entry for SECURITY?
Can you look for any of these files on your computer and let me know if they are found
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\ole32vbs.exe
C:\WINNT\Web\desktop.html
What happened to the log from Find.bat I asked you to download in my last reply?
Can you still do that please
Post by: happyeaglesfan on May 26, 2005, 08:50:58 PM
»»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»»
Scanning for file(s)...
Post by: happyeaglesfan on May 26, 2005, 09:00:30 PM
I did not find any of the files. Only the above file that was close. Help instead of helper?
Post by: guestolo on May 26, 2005, 09:01:40 PM
Let's try this again
Can you find any of these files on your Hard drive
Quote
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\WINNT\sites.ini
C:\WINNT\popuper.exe
C:\WINNT\system32\hhk.dll
C:\WINNT\System32\wldr.dll
C:\WINNT\System32\helper.exe
C:\WINNT\System32\intmon.exe
C:\WINNT\System32\shnlog.exe
C:\WINNT\System32\intmonp.exe
C:\WINNT\System32\msmsgs.exe
C:\WINNT\system32\msole32.exe
C:\WINNT\System32\ole32vbs.exe
C:\WINNT\Web\desktop.html
Also, and remember to post back all information
Do the following please
==Download RKFiles.zip from the link
http://skads.org/special/rkfiles.zip (http://\"http://skads.org/special/rkfiles.zip\")
UNZIP the contents to it's own folder
Set Windows to show Hidden files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
RESTART INTO SAFE MODE
Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt
Restart back to Normal mode and post the log C:\Log.txt
Post the log back here
Post by: guestolo on May 26, 2005, 09:30:11 PM
I'll check back later when you have the log from RKFiles.bat
Post by: happyeaglesfan on May 26, 2005, 09:41:47 PM
C:\Documents and Settings\Owner\Desktop\New Folder\rkfiles
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINNT\tsc.exe: UPX!
C:\WINNT\Unwash6.exe: UPX!
C:\WINNT\vsapi32.dll: UPX!t4
Finished
bye
Post by: guestolo on May 26, 2005, 09:49:53 PM
When you access your Web tab, What do you see under Web pages?
Anything?
Can you also do the following
Download Silent Runners.vbs
http://www.cs.nyu.edu/~vs667/articles/hoto...lentRunners.zip (http://\"http://www.cs.nyu.edu/~vs667/articles/hotoffers_removal/files/SilentRunners.zip\")
UNZIP the contents too desktop
Double click to Run Silent Runners
WAIT for the scan to finish, It will notify you when it's complete
Post back the log that's produced
Post by: happyeaglesfan on May 26, 2005, 10:03:29 PM
I see
New
Properties
Synchronize
Delete
check box that is unchecked for MY CURRENT HOME PAGE
To prevent the moving.....
check box that is unchecked for LOCK DESKTOP ITEMS
"Silent Runners.vbs", revision 35, http://www.silentrunners.org/ (http://\"http://www.silentrunners.org/\")
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"gcasServ" = ""C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"" [MS]
"KernelFaultCheck" = "C:\WINNT\system32\dumprep 0 -k" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online Included"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Adaptec\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\PhotoDeluxe BE 1.1\FotoNation Explorer\camview.dll" ["FotoNation Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll" ["Yahoo! Inc."]
"{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shredding Utility"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\WEBROO~1\SHELLW~1.DLL" ["Webroot Software"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{9EF34FF2-3396-4527-9D27-04C8C1C67806}" = "Microsoft AntiSpyware Service Hook"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [MS]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINNT\System32\sspipes.scr" [MS]
Enabled Scheduled Tasks:
------------------------
"Norton AntiVirus - Scan my computer - Owner" -> launches: "C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {CLSID}\(Default) = "&Yahoo! Companion"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Norton Internet Security"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
Explorer Bars
HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS]
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\
(Default) = "MoneySide"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{1537E842-0000-11D2-8059-111111111111}\
"ButtonText" = "MP3"
"MenuText" = "&WinMp3Locator"
"CLSIDExtension" = "{1537E842-0E00-11D2-8059-000000000000}"
{1537E842-0001-11D2-8059-111111111111}\
"ButtonText" = "Files"
"MenuText" = "&FileLocator"
"CLSIDExtension" = "{1537E842-0E01-11D2-8059-000000000000}"
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM95\aim.exe" ["America Online, Inc."]
{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"
{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96}\
"ButtonText" = "Yahoo! Messenger"
"MenuText" = "Yahoo! Messenger"
"Exec" = "C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe" ["Yahoo! Inc."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
Creative Service for CDROM Access, Creative Service for CDROM Access, "C:\WINNT\System32\CTsvcCDA.exe" ["Creative Technology Ltd"]
ISSvc, ISSVC, "C:\Program Files\Norton Internet Security\ISSVC.exe" ["Symantec Corporation"]
Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
NVIDIA Driver Helper Service, NVSvc, "C:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINNT\wanmpsvc.exe"" ["America Online, Inc."]
Washer AutoComplete, wwSecSvc, "C:\WINNT\System32\wwSecure.exe" ["Webroot Software, Inc."]
----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------
Post by: guestolo on May 26, 2005, 10:16:31 PM
Are you logged in right now with the user having the problem with the desktop????
Anytime I asked you to merge fixdesktop.reg, were you logged in with the user account having the problem?
Something you or I is missing here
When your doing any of the fixes I asked before, whether in safe mode or Normal mode
Ensure your logged in with the user having the problem with the desktop
Could you also
Go to START>>RUN>>COPY AND PASTE the bold line into the open field and then
Click OK
regedit /e C:\find.txt "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0"
Find C:\find.txt
Copy and paste back the contents
Post by: happyeaglesfan on May 26, 2005, 10:21:01 PM
Here is the log.
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,de,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,de,02,\
00,00,01,00,00,00
Post by: Guest on May 26, 2005, 11:44:18 PM
I was able to get the SmartSecurity to go away on my desk top. My Norton Firewall was preventing the updates from loading. I disabled the firewall for all the programs you had me run. Ran the programs and it disappeared. Thank you sooooo much for my help. I am very greatful. YOUR THE BEST.
I am posting a new Hijackthis log for you to check. If you want to check anything else please let me know.
Logfile of HijackThis v1.99.1
Scan saved at 12:42:04 AM, on 5/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\hijackthis.exe
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://download.windowsupdate.com (http://\"http://download.windowsupdate.com\")
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab (http://\"http://messenger.yahoo.com/maintenance/patch.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B89EE32-C3B8-4BD5-8A28-F73CA9183D4F}: NameServer = 151.204.0.85 151.201.0.38
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
Post by: happyeaglesfan on May 26, 2005, 11:47:34 PM
I was able to get the SmartSecurity to go away on my desk top. My Norton Firewall was preventing the updates from loading. I disabled the firewall for all the programs you had me run. Ran the programs and it disappeared. Thank you sooooo much for my help. I am very greatful. YOUR THE BEST.
I am posting a new Hijackthis log for you to check. If you want to check anything else please let me know.
Logfile of HijackThis v1.99.1
Scan saved at 12:42:04 AM, on 5/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\devldr32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wwSecure.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\HJT\hijackthis.exe
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\ProLogX5 Accelerator\pac-image.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: MP3 - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &WinMp3Locator - {1537E842-0000-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: Files - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: &FileLocator - {1537E842-0001-11D2-8059-111111111111} - C:\WINNT\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://download.windowsupdate.com (http://\"http://download.windowsupdate.com\")
O16 - DPF: {01020304-0506-0708-090A-0B0C0D0E0F08} - http://messenger.yahoo.com/maintenance/patch.cab (http://\"http://messenger.yahoo.com/maintenance/patch.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 (http://\"http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409\")
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab (http://\"http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B89EE32-C3B8-4BD5-8A28-F73CA9183D4F}: NameServer = 151.204.0.85 151.201.0.38
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINNT\System32\ImapiRox.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINNT\System32\wwSecure.exe
Post by: guestolo on May 27, 2005, 12:25:25 AM
You can go back and Hide hidden files and folders
You can choose to uninstall Ewido or hold onto it, even after the trial period it works as a limited free version
If everything is running better
You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature (http://\"http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm\")
Once back in Windows and System Restore is reenabled
You should set up protection against future attacks
SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")
With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection
IE-Spyad is compatible with XP SP2 as well
Stay safe
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />