Author Topic: CANY ANY1 HELP? (Read 12118 times)

guestolo · « **Reply #20 on:** January 30, 2005, 01:45:43 PM »

The best firewall of course would be a NAT router (Hardware firewall) <--costs money

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

XP's SP1 built in firewall is free and built in but not the best and is not on by default
Installing SP2 increases the built in firewall a little bit and on by default

But I would recommend that you install one of these free software firewalls if you need one>>You will have to search for the free download on each site

Sygate Personal Firewall

Zone Alarm by Zonelabs

Kerio Personal Firewall

OutPost by Agnitum

You only need one, if you install one ensure to shut down XP's built in firewall if enabled
I only use Sygates and I like it
Can't comment on the others but many use the free version of ZoneAlarm
I've been hearing good things about Outpost too.....

As far as file sharing programs, I don't use one but you should take a look at this link and decide
Don't install any free version that contains Spyware
http://www.spywareinfo.com/articles/p2p/
If you decide on WinMX, many users complain about slow download times and hard to use
Others swear by it and say it's not setup right if those are the conditions
They have chat rooms where you can ask questions about it, that's if you decide on WinMX

Before installing the firewall software, but make sure you do, or at minimal enable XP's

I would like to ensure that you are free of leftover registry entries and a .dll file from the infection you had

Recommended by this link from McAfee's
http://vil.nai.com/vil/content/v_130135.htm

Can you do a search for this .dll on your computer and let me know if it exists
WINACPI.DLL
Possibly in your System32 folder, but do a search for it

Also let's look for the leftover Registry entries that may be left behind
You may want to make a Restore point first if your uncomfortable in the Registry
From that link at McAfee's here is an example
HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}\ "InprocServer32"= C:\winnt\System32\winacpi.dll

You will want to Expand (+) the following
+HKEY_CLASSES_ROOT
+CLSID
Your looking for this exact CLSID
{5E2121EE-0300-11D4-8D3B-444553540000}

You don't have to delete it, just let me know if it exists
Do the same for the bolded entries below
Let me know if they exist
# HKEY_CURRENT_USER\Software\mzs
# HKEY_CLASSES_ROOT\acpi.acpi.1
# HKEY_CLASSES_ROOT\acpi.ext

I would like to also look for a couple not mentioned by McAfee's

Look for this one in bold
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\sysacpildap

And if you could do me one more favor
Navigate to this key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

List should exist, I don't want you to do anything with it except for
Left click and Highlight List
Right click on it and EXPORT it
Name it and save it>>Possible to MyDocuments
Exit out of Registry editor>>>Navigate to MyDocuments and right click on the saved backup you named
EG...If you saved it as name you will see it as name.reg
After you right click on it Choose EDIT
Copy and paste the whole contents back here

Also let me know if any of those other keys exists

If your uncomfortable in the Registry don't worry about doing the above
We can find a different solution, but if you could do the above that would help... Thanks

irish-paddy · « **Reply #21 on:** January 30, 2005, 03:54:10 PM »

WINACPI.DLL
yeah u were rite, found it in system32

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' /> sorry for eing so dumb but iwas trying there and i dont know how to get into the registry editor

ive got the xp firewall on but im just going to buy a better. gona get one in the shops, paid $45.00 for 'xoftspy' spyware remover and it was useless.
gona try outpost 30day free trial and if its good will prob buy it.

if u let me know how 2get into registry ill certainly try all that.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

heres my log if thats any good
Logfile of HijackThis v1.99.0
Scan saved at 20:43:40, on 30/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

guestolo · « **Reply #22 on:** January 30, 2005, 04:06:29 PM »

We'll have to get rid of that .dll
But first
To enter the Registry
Go to START>>RUN>>type in regedit
hit OK

Please don't delete anything in the registry, just export that one key and let me know if the others exist
If your uncomfortable in the registry I can supply a free and easy tools to search for you
more efficiently. Let me know

If you haven't deleted WINACPI.DLL yet
Don't yet, we'll get it another way
Again, just try to do what I asked in the registry, don't delete anything

This one showed back up in your hijackthis log, don't worry about it right now
O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe

By the way OUTPOST does have a free version, but if you would like to purchase the full version, by all means

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

irish-paddy · « **Reply #23 on:** January 30, 2005, 04:25:02 PM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> i installed the 30day version of outpost.

ive been getting messages from it saying there are hidden stuff requesting inbound and outbound network access

irish-paddy · « **Reply #24 on:** January 30, 2005, 04:27:06 PM »

heres an example

Messenger
Hidden process requests an outbound network connection

Process: C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
Launced by: C:\WINDOWS\SYSTEM32\SVCHOST.EXE

Outpost Firewall Pro should:

0 Allow network activity for this process according to application rules
0 Block network access for this process instance

! ..........................process can be controlled by another process and transmit private information.

irish-paddy · « **Reply #25 on:** January 30, 2005, 04:28:36 PM »

ive been blocking them but it dont sound good.

gona go and try all that stuff now in the registry

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'

\' />

irish-paddy · « **Reply #26 on:** January 30, 2005, 04:59:43 PM »

+HKEY_CLASSES_ROOT
+CLSID
{5E2121EE-0300-11D4-8D3B-444553540000}
Yeah this file exists

HKEY_CURRENT_USER\Software\mzs
This is there too

# HKEY_CLASSES_ROOT\acpi.acpi.1
# HKEY_CLASSES_ROOT\acpi.ext
both these exist too

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\sysacpildap
Yep this is there too

(there is somethin called thi there too '{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}' inside HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

heres the contents
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"c:\\z.exe"="c:\\z.exe:*:Enabled:cmsscs"
"C:\\WINDOWS\\tgbcde\\module32.exe"="C:\\WINDOWS\\tgbcde\\module32.exe:*:Enabled:module32"
"c:\\windows\\system32\\csmss32.exe"="c:\\windows\\system32\\csmss32.exe:*:Enabled:csmss32"

also got this warning just now in outpost

| Attack Detection Report x

attack was detected

attack type My address
IP Address localhost:loopback

had to disable outpost to get on the internet again.
i thought everything was fixed but outpost doesnt think so

guestolo · « **Reply #27 on:** January 30, 2005, 05:33:41 PM »

(there is somethin called thi there too '{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}' inside HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Don't Worry about the above one
We may have to rid you of that entry in hijackthis that loopbacks to 127.0.0.1
But don't do nothing with it yet

I suggest that you try another online virus scan, let's make sure we're not missing anything
free Online Virus scan at RAV's

http://www.ravantivirus.com/scan/

When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and definition files

Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan

Then click the Scan my PC button
Let it completely finish scanning
Copy and Paste the results back here

Could you also
Download this virus checker from Kapersky
Mwav.exe
There's nothing to install, just double click to run

Double click to Run it
Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

****If prompted that a Virus was found and you need to purchase the product, with the Mwav scanner from Kapersky's to remove the malware, just close out the prompt and let it continue scanning
We just want to see where the bad guys are

Don't worry, we're getting close to being totally clean
Together those 2 scans may take an hour

Can you do me a favor
Could you please go to this link
http://www.billsway.com/vbspage/ and scroll down to
Registry Search Tool
Download,UNZIP and run "RegSrch.vbs" >>Allow this to run, even if prompted from your AV
Copy and paste this in the dialog box:
{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}

Hit OK
After a while a prompt will come up.(About 10 seconds) Click OK to write the results to wordpad or notepad and post them

Do the same for this one
tgbcde

Let me know if these files exist

C:\Windows\System32\mtwirl32.dll <--file
C:\Windows\library32.dll
C:\\WINDOWS\tgbcde\module32.exe
c:\\windows\system32\csmss32.exe
C:\Y.exe
C:\Z.exe

and then we'll try some more fixes, hopefully get it all
Don't try and fix them yet, let me know if they exist

EDIT>>One of these nasties interferes with the operation of your firewall
That's why I recommended you didn't install it, kept the XP firewall enabled until we cleaned it out
But hold onto Outpost

irish-paddy · « **Reply #28 on:** January 31, 2005, 09:40:34 AM »

Rav anti virus results
Scan started at 31/01/2005 12:22:07

Scanning memory...
Scanning boot sectors...
Scanning files...
C:\WINDOWS\autoclk.exe - Trojan:Win32/KillReg.D -> Infected
C:\WINDOWS\YEA.REG - Trojan:WinREG/IEZones.C* -> Infected
C:\WINDOWS\SYSTEM32\msvccc.exe.tcf - TrojanDropper:Win32/Delf.BN -> Suspicious
C:\WINDOWS\SYSTEM32\wdrk32.exe - Win32/HLLW.Forbot -> Infected
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\0006_adult[1].cab.tcf->istactivex.dll - TrojanDownloader:Win32/IstBar.GD.dll -> Infected
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\0006_regular[1].cab.tcf->istactivex.dll - TrojanDownloader:Win32/IstBar.GD.dll -> Infected

Scanned
============================
   Objects: 28040
   Directories: 2281
   Archives: 2836
   Size(Kb): 1010303
   Infected files: 5

Found
============================
   Viruses found: 4
   Suspicious files: 1
   Disinfected files: 0
   Mail files: 48

escan results:

File C:\WINDOWS\System32\winacpi.dll infected by "Trojan-Proxy.Win32.Agent.ck" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wdrk32.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\swwhost.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ahadp.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\YEA.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dust.exe infected by "Trojan-Dropper.Win32.Agent.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ieupdate.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ldrx32c.exe infected by "Trojan-Downloader.Win32.Small.aig" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msnmsgrs.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msvccc.exe.tcf infected by "TrojanDropper.Win32.Delf.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\svc.exe infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\svcshost.exe infected by "Backdoor.Win32.Wootbot.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\winasp.exe infected by "Backdoor.Win32.ForBot.r" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000035.dll infected by "Trojan-Proxy.Win32.Agent.ck" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000054.dll infected by "Trojan-Proxy.Win32.Agent.ck" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ahadp.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.10\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.11\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.12\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.13\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.14\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.5\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.6\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.7\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.8\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.9\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\LastGood\System32\setup.exe.tcf infected by "Trojan-Dropper.Win32.Small.na" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SECURITY\templates\asa\asa.dbx infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SECURITY\templates\asa\sman.dbx tagged as not-a-virus:RiskWare.Tool.Hideout. No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\a176af[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\ldrx32c[1].exe infected by "Trojan-Downloader.Win32.Small.aig" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.4[1].gif infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.6[1].gif infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\loader2[1].ocx infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe.tcf infected by "TrojanDropper.Win32.Joiner.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe1564.tcf infected by "TrojanDropper.Win32.Joiner.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe8278.tcf infected by "TrojanDropper.Win32.Joiner.aj" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\dust.exe infected by "Trojan-Dropper.Win32.Agent.dv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ieupdate.exe infected by "Backdoor.Win32.Wootbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\ldrx32c.exe infected by "Trojan-Downloader.Win32.Small.aig" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\msnmsgrs.exe infected by "Backdoor.Win32.Rbot.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\msvccc.exe.tcf infected by "TrojanDropper.Win32.Delf.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\svc.exe infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\svcshost.exe infected by "Backdoor.Win32.Wootbot.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\winasp.exe infected by "Backdoor.Win32.ForBot.r" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\YEA.REG infected by "Trojan.WinREG.LowZones.a" Virus. Action Taken: No Action Taken.

Mon Jan 31 13:07:47 2005 => ***** Scanning complete. *****

Mon Jan 31 13:07:47 2005 => Total Files Scanned: 37384
Mon Jan 31 13:07:47 2005 => Total Virus(es) Found: 52
Mon Jan 31 13:07:47 2005 => Total Disinfected Files: 0
Mon Jan 31 13:07:47 2005 => Total Files Renamed: 0
Mon Jan 31 13:07:47 2005 => Total Deleted Files: 0
Mon Jan 31 13:07:47 2005 => Total Errors: 17
Mon Jan 31 13:07:48 2005 => Time Elapsed: 00:42:49
Mon Jan 31 13:07:48 2005 => Virus Database Date: 2005/01/28
Mon Jan 31 13:07:48 2005 => Virus Database Count: 117012

Mon Jan 31 13:07:48 2005 => Scan Completed.

did the search in RegSrch.vbs

{3F143C3A-1457-6CCA-03A7-7AA23B61E40F} was not found

tgbcde "instances found three times"
heres the wordpad results

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "tgbcde" 31/01/2005 14:24:33

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\tgbcde\\module32.exe"="C:\\WINDOWS\\tgbcde\\module32.exe:*:Enabled:module32"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\tgbcde\\module32.exe"="C:\\WINDOWS\\tgbcde\\module32.exe:*:Enabled:module32"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\tgbcde\\module32.exe"="C:\\WINDOWS\\tgbcde\\module32.exe:*:Enabled:module32"

C:\Windows\System32\mtwirl32.dll <--file NOT FOUND
C:\Windows\library32.dll NOT FOUND
C:\\WINDOWS\tgbcde\module32.exe NOT FOUND
c:\\windows\system32\csmss32.exe FOUND
C:\Y.exe NOT FOUND
C:\Z.exe NOT FOUND

Well thats everything. hopefully we can get it sorted out.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

irish-paddy · « **Reply #29 on:** January 31, 2005, 09:53:36 AM »

oh aye, uninstalled the outpost firewall just gona use the xp one for now.

i was also thinking of downloading winmx, it sounds safest but im not sure if its safe to download it yet, especially as there are still loads of viruses on my computer

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

irish-paddy · « **Reply #30 on:** January 31, 2005, 09:56:51 AM »

oh yeah, couldnt help but notice this
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\0006_adult[1].cab.tcf

that 0006_adult has been appearing on my comp even before i started the internet, and ive never been on any dodgy sites (not yet

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> - only jokin)

could that have been got from a cd or dvd sum1 watched on my comp?

just wonderin

irish-paddy · « **Reply #31 on:** January 31, 2005, 10:00:26 AM »

the 0006_adult is in inernet content, my 18yr old younger bro says it wasnt him, but i dont believe him and hes been barred by me from using internet

irish-paddy · « **Reply #32 on:** January 31, 2005, 10:02:11 AM »

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'

\' />

guestolo · « **Reply #33 on:** January 31, 2005, 10:09:12 AM »

HI Irish, we have a bit of cleaning to do I see
I'm on my way to work so we'll have to tackle this later
But we should be able to get it all

We have to try and delete all those files

We'll get a tool to help us, sorry I don't have time right now
Don't remove any .dll if you start any cleanup, we'll unregister them first

Try to do minimal surfing until later
If you do delete any files let me know which ones

irish-paddy · « **Reply #34 on:** January 31, 2005, 11:06:14 AM »

no probs guestolo, cheers.

ill not do anything and ill stay off the internet till later.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

guestolo · « **Reply #35 on:** January 31, 2005, 02:37:15 PM »

Let's try and get rid of some of this

First>>>===Open Notepad (START>>>RUN>>>type in notepad) hit Enter
Copy the whole contents of the Quote box to notepad
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this on the Desktop, we'll need this later

Quote

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\sysacpildap][-HKEY_CLASSES_ROOT\CLSID\{5E2121EE-0300-11D4-8D3B-444553540000}]

[-HKEY_CLASSES_ROOT\CLSID\{3F143C3A-1457-6CCA-03A7-7AA23B61E40F}]

[-HKEY_CURRENT_USER\Software\mzs]

[-HKEY_CLASSES_ROOT\acpi.acpi.1]

[-HKEY_CLASSES_ROOT\acpi.ext]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"tgbcde"=-

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\tgbcde]

Make sure that Windows is set to Show Hidden Files and folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

And know how to start in SAFE MODE
I'll be asking you to do this shortly

Download Pocket Killbox from here:
http://www.downloads.subratam.org/KillBox.zip
Unzip the files to the folder of your choice.

Disconnect from the Internet completely

Disable System Restore>>Right click my Computer---Left click Properties--
Open System Restore Tab--Check "Turn of System Restore"

Double-click on Killbox.exe to run it

Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to "Delete on Reboot"
For any .dll file, additionally put a mark next to "Unregister .dll before deleting"
Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\WINDOWS\autoclk.exe

C:\WINDOWS\YEA.REG

C:\WINDOWS\SYSTEM32\msvccc.exe.tcf

C:\WINDOWS\SYSTEM32\wdrk32.exe

C:\WINDOWS\system32\swwhost.exe

C:\WINDOWS\ahadp.exe

C:\WINDOWS\System32\dust.exe

C:\WINDOWS\SYSTEM32\CMSSCS.EXE

C:\WINDOWS\System32\ieupdate.exe

C:\WINDOWS\System32\ldrx32c.exe

C:\WINDOWS\System32\msnmsgrs.exe

C:\WINDOWS\System32\svc.exe

C:\WINDOWS\System32\svcshost.exe

C:\WINDOWS\System32\winasp.exe

C:\WINDOWS\ahadp.exe

C:\WINDOWS\LastGood\System32\setup.exe.tcf

C:\WINDOWS\SECURITY\templates\asa\asa.dbx

C:\WINDOWS\SECURITY\templates\asa\sman.dbx

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe.tcf

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe1564.tcf

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\svwhost32.exe8278.tcf

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS

C:\WINDOWS\tgbcde\module32.exe

C:\windows\system32\csmss32.exe

C:\Y.exe

C:\Z.exe

C:\WINDOWS\System32\winacpi.dll

C:\Windows\System32\mtwirl32.dll

C:\Windows\library32.dll

C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll

C:\WINDOWS\Downloaded Program Files\AdStatServX.dll

When you've pasted the last full path of file to delete, Answer YES
And allow the system to Reboot
Please Reboot into SAFE MODE at this time

Go to START>>RUN>>type in
regedit

Navigate to these entries in the registry

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
Highlight LIST
On the right hand side look for any of these entries
"C:\\WINDOWS\\tgbcde\\module32.exe"="C:\\WINDOWS\\tgbcde\\module32.exe:*:Enabled:module32"
"c:\\windows\\system32\\csmss32.exe"="c:\\windows\\system32\\csmss32.exe:*:Enabled:csmss32"
"c:\\z.exe"="c:\\z.exe:*:Enabled:cmsscs"

If you see them on the right hand side
Try right clicking on them
EG>>>C:\\WINDOWS\\tgbcde\\module32.exe
and choose DELETE

Navigate to these keys and do the same as above
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

Notice the differences are the ControlSet entries

Exit the Registry Editor

Double click on fix.reg you saved earlier to desktop and allow it to merge to the registry

Stay in safe mode
If you find these folders try and delete them
C:\WINDOWS\tgbcde <--this folder
C:\WINDOWS\EliteSideBar <--folder
C:\WINDOWS\SECURITY\templates\asa <--folder
C:\WINDOWS\Downloaded Program Files\CONFLICT <--let me know if these folders(controls) exist

Again, in safe mode
Run Windows CleanUp! one more time

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [spoolsvr32] c:\windows\system32\csmss32.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
YES and exit Hijackthis

In safe mode
Open Ad-Aware and Perform another full system scan
Removing all Critical objects

Restart back to Normal Mode

Re-enable System Restore

Open Up Hoster and let it create a New Host file
Restore original hosts

Run another scan with Kapersky's <<I mean eScan's MWAV
Copy and paste back here the results from the lower pane

Also post back a fresh Hijackthis log

Do what you can from the above, all if you can, run the scan again with Mwav
and post results and Post a fresh hijackthis log regardless of what you were able to accomplish

Could you also
Download ServiceFilter.zip
Unzip the contents to a folder
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

P.S I didn't mean for you to uninstall Outpost, it will just be effected by this
until we get you clean>>>Seeing that it is now uninstalled, leave it removed
for now

Guest · « **Reply #36 on:** January 31, 2005, 05:15:43 PM »

Done everything, all went well

C:\WINDOWS\tgbcde NOT FOUND
C:\WINDOWS\EliteSideBar FOUND AND DELETED
C:\WINDOWS\SECURITY\templates\asa FOUND AND DELETED
C:\WINDOWS\Downloaded Program Files\CONFLICT NOT FOUND

DONE system cleanup

no critical errors found in AR-AWARE scan

just doing the escan/kapersky now, will post results back soon

guestolo · « **Reply #37 on:** January 31, 2005, 05:21:46 PM »

Quote

DONE system cleanup

You are talking about Windows CleanUp! by StevenGould
Right?

Are you sending me this info from another computer?

irish-paddy · « **Reply #38 on:** January 31, 2005, 05:52:49 PM »

yeah that system cleanup. forgot to logon thats y it was cumming up as guet.

File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.10\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.11\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.12\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.13\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.14\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.5\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.6\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.7\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.8\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.9\AdStatServX.dll infected by "not-a-virus:AdWare.WinAD.p" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6JYLAZOX\a176af[1].js infected by "Trojan-Downloader.JS.Small.af" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O9YJK1IJ\ldrx32c[1].exe infected by "Trojan-Downloader.Win32.Small.aig" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.4[1].gif infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\84.13.6[1].gif infected by "Trojan.Win32.Agent.aq" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H\loader2[1].ocx infected by "Trojan-Downloader.Win32.Agent.ex" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\_MSRSTRT.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Logfile of HijackThis v1.99.0
Scan saved at 22:47:06, on 31/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Eicon\Diva\DiTask.exe
C:\Program Files\Eicon\Diva\Divamon.exe
C:\Program Files\Eicon\Diva\watch.exe
C:\Program Files\Eicon\Diva\cgserver.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Eicon\Diva\diinfo.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Patrick Deighan\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DiTask.exe] "C:\Program Files\Eicon\Diva\DiTask.exe"
O4 - HKLM\..\Run: [Divamon.exe] "C:\Program Files\Eicon\Diva\Divamon.exe"
O4 - HKLM\..\Run: [Eicon TechnologyLAN_DAEMON] "C:\Program Files\Eicon\Diva\watch.exe"
O4 - HKLM\..\Run: [CGServer] "C:\Program Files\Eicon\Diva\cgserver.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.1\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\TalkTalk Broadband\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{77B98371-66A7-4A40-B65A-72A5A378BDC9}: NameServer = 127.0.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{EA5177B9-928B-4318-BD72-8CF666360BD9}: NameServer = 62.24.199.10 62.24.199.20
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

heres the post_this
The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Jan 31, 2005 22:51:06

===> Begin Service Listing <===

Unknown Service #1
Service Name: SAVScan
Display Name: SAVScan
Start Mode: Manual
Start Name: LocalSystem
Description: Handles Norton AntiVirus Auto-Protect Archive ...
Service Type: Own Process
Path: c:\program files\norton antivirus\savscan.exe
State: Running
Process ID: 1736
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: True

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{f79a1568-d6c5-4c69-a086-936cf52dbbe3}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 84 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 17.29688 seconds.

sorry it took so long, and once again many thanks 4 all ur time and help!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

irish-paddy · « **Reply #39 on:** January 31, 2005, 05:58:08 PM »

dont know if this is any help, but for the third time tonight
"windows explorer has encountered a problem" and had to close.

News:

Author Topic: CANY ANY1 HELP? (Read 12118 times)

Guest