Firefox/norton/program crashes

anksmashpunk · 06-16-2006, 12:16 PM

recently several programs have been giving me trouble. firefox will ALWAYS crash when trying to watch youtube videos (but not google videos). Also, i get this annoying shockwave plugine rror where it strongly advises me to close and restart firefox. Sometimes when i restart my computer i will get a symantec user session error that makes it close and i have to restart ccapp.exe manually. Also, several programs that i use have been acting wierd. I use REG supreme to clean up bad registry files but for some reason it does not work anymore. It just freezes. Also, when i try to scan my registry with CCleaner it doesn't freeze but it does hang for like 5 seconds before it begins working and when it hits 84%.

Heres my log

Logfile of HijackThis v1.99.1
Scan saved at 9:50:33 AM, on 06/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATITool\ATITool.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Computer Applications\hijack this\HijackThis.exe
C:\PROGRA~1\MOZILLA FIREFOX\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s
O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.115.4,85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

greyknight17 · 06-16-2006, 09:44 PM

Welcome to TSF.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install. Make sure 'Run fixit' is checked and click Finish. The fix will begin. Follow the prompts. You will be asked to reboot your computer. Your system may take longer than usual to load - this is normal.

Wait until your desktop loads. A notepad file called report.txt should open up. Post that log here along with a new HijackThis log.

anksmashpunk · 06-17-2006, 10:51 AM

here is the fixwareout report:

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F3FD63149DE6-B1BB-C884-8A3E-5F7DDACC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nevmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmven.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Misc files
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM

and here is the new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 9:48:36 AM, on 06/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATITool\ATITool.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Computer Applications\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s
O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.115.4,85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

EDIT: i just checked and CCleaner is no longer hanging at 0% and 84%. Also, RegSupreme doesnt freeze every time I run it. :] I have yet to check if firefox still crashes and if norton still gets that error.

Edit #2: Firefox also isnt crashing anymore while watching youtube videos and i'm not getting those shockwave plugin errors.

greyknight17 · 06-17-2006, 05:47 PM

Something went wrong there. I want you to go to c:\fixwareout and see if you can find the locate.com file in the FindT folder. If not, extract the install file again by downloading the fixwareout.exe file again. Otherwise, just double click on the FixIt.bat file in c:\fixwareout\ folder.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one:

O17 - HKLM\System\CCS\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.115.4,85.255.112.15
O17 - HKLM\System\CS1\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15

Restart and post a new HijackThis and the report.txt file from Fixwareout.

anksmashpunk · 06-17-2006, 06:18 PM

heres my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:15:46 PM, on 06/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATITool\ATITool.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Computer Applications\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s
O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Fixwareout report.txt:

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Misc files
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM

Ried · 06-18-2006, 04:32 PM

Hi anksmashpunk,

The tool needs a live internet connection to run, are you remaining connected to the internet when running FixWareOut?

------------------------------------------

We need an online scan as well to see if anything else is lurking about your system.

Perform an online scan using Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Check Now & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Enter your e-mail address, country, and state & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.

Please ignore any entry it finds and wants you to buy the program for removal as we will address this later.
Click on see report. Then click Save report

Please include those results along with a new HijackThis log in your next reply.

anksmashpunk · 06-18-2006, 06:48 PM

yeah i am connected to the internet when running fixwareout

i ran the panda activescan heres the report:

Incident Status Location

Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.atwola.com/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.valueclick.com/]
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.ads.pointroll.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.zedo.com/]
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.serving-sys.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.qksrv.net/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Me\Cookies\me@advertising[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Me\Cookies\me@doubleclick[1].txt
Adware:Adware/Trebuh Not disinfected C:\WINDOWS\SYSTEM32\csfti.exe
Virus:Trj/Ruins.Y Disinfected C:\WINDOWS\SYSTEM32\dmven.exe

and heres my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 5:44:47 PM, on 06/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATITool\ATITool.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Computer Applications\hijack this\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s
O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

when i ran panda activescan i got a popup that i had some sort of trojan and it said the filename was windows\system32\howiper.exe or something like that.

Ried · 06-18-2006, 08:47 PM

Hello anksmashpunk,

I don't like the fact that FixWareout didn't run properly nor Panda's failure to detect howiper.exe.

Download this file - Find3M.zip
It's important that you extract the contents to a new folder. Do not run it yet.

Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet.

-------------------------------------

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.

-------------------------------------

Delete the following files:

C:\WINDOWS\SYSTEM32\ csfti.exe
C:\WINDOWS\SYSTEM32\ dmven.exe
C:\WINDOWS\SYSTEM32\ howiper.exe

-------------------------------------

Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here.

-------------------------------------

Restart one more time back into Normal Mode.

-------------------------------------

Double click on Find3M.bat & it shall produce a logfile for you to post back here along with the WinPFind .txt

anksmashpunk · 06-18-2006, 10:33 PM

ok there were some problems. when i tried to download find3m.zip from that link i got an error 404. i found another copy somewhere else online and downloaded that.

when i went into safemode, i found that whenever i typed a key on my keyboard it would instantly freeze up and the only thing i could do was restart by hitting the power button on my case. when it booted up to normal mode after crashing it flashed "keyboard failure" on one of those loading screens and then booted normally. Then, i went back into safemode and tried again and got the same result. So, i once again went to safemode and used the onscreen keyboard to do stuff without having to type.

i searched and only found howiper.exe, not csfti.exe or dmven.exe (this may be because i ran ewido and ad-aware after seeing that panda activescan found some spyware). i deleted howiper. after deleting it, i found that i could use the keyboard normally and it didnt crash everytime i typed a key.

i ran winpfind and then booted to normal mode and i saw that my copy of find3m was find3m.exe, not find3m.bat. i hope i got the right file.

heres my winpfind log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 03/02/2005 10:04:44 AM 56832 C:\WINDOWS\Unwash6.exe

Checking %System% folder...
UPX! 10/07/2005 10:14:52 AM 308224 C:\WINDOWS\SYSTEM32\avisynth.dll
PEC2 11/17/1996 11:00:00 PM 748167 C:\WINDOWS\SYSTEM32\Co2c40en.dll
aspack 03/18/2005 6:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 08/04/2004 3:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PEC2 06/09/2005 1:32:28 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 06/09/2005 1:32:28 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 02/14/2006 9:20:14 AM 550120 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 06/09/2005 2:35:28 PM 1292120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 06/09/2005 2:35:28 PM 1292120 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 08/04/2004 3:00:00 AM 708096 C:\WINDOWS\SYSTEM32\NTDLL.DLL
Umonitor 08/04/2004 3:00:00 AM 657920 C:\WINDOWS\SYSTEM32\RASDLG.DLL
winsync 08/04/2004 3:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
06/18/2006 9:11:42 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
06/18/2006 6:59:16 PM H 54156 C:\WINDOWS\QTFont.qfn
06/18/2006 9:11:40 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
06/18/2006 9:11:48 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
06/18/2006 9:11:44 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
06/18/2006 9:12:20 PM H 49152 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
06/18/2006 9:11:38 PM H 4743168 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
06/18/2006 9:08:26 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 08/04/2004 3:00:00 AM 549888 C:\WINDOWS\SYSTEM32\APPWIZ.CPL
Borland Software Corporation 10/07/2003 11:39:00 AM 184320 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 08/04/2004 3:00:00 AM 110592 C:\WINDOWS\SYSTEM32\BTHPROPS.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 135168 C:\WINDOWS\SYSTEM32\DESK.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 80384 C:\WINDOWS\SYSTEM32\FIREWALL.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 155136 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 358400 C:\WINDOWS\SYSTEM32\INETCPL.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 129536 C:\WINDOWS\SYSTEM32\INTL.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 380416 C:\WINDOWS\SYSTEM32\IRPROPS.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 68608 C:\WINDOWS\SYSTEM32\JOY.CPL
Sun Microsystems 11/19/2003 3:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 08/04/2004 3:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 618496 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 25600 C:\WINDOWS\SYSTEM32\NETSETUP.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 257024 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 32768 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 114688 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
RealNetworks, Inc. 06/27/2005 8:50:14 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
SiSoftware 06/29/2005 6:00:10 PM 53248 C:\WINDOWS\SYSTEM32\SanCpl.cpl
Microsoft Corporation 08/04/2004 3:00:00 AM 298496 C:\WINDOWS\SYSTEM32\SYSDM.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 94208 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 08/04/2004 3:00:00 AM 148480 C:\WINDOWS\SYSTEM32\WSCUI.CPL
Microsoft Corporation 05/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 05/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
08/10/2004 11:04:12 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %ALLUSERSPROFILE%\Application Data folder...
08/10/2004 10:57:42 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI
04/05/2006 9:17:38 PM 1359 C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache

Checking files in %USERPROFILE%\Startup folder...
08/10/2004 11:04:12 AM HS 84 C:\Documents and Settings\Me\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
08/10/2004 10:57:42 AM HS 62 C:\Documents and Settings\Me\Application Data\DESKTOP.INI

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A5366673-E8CA-11D3-9CD9-0090271D075B}
IeCatch2 Class = C:\COMPUT~1\FlashGet\jccatch.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\system32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\system32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{E0E899AB-F487-11D5-8D29-0050BA6940E3} = FlashGet Bar : C:\COMPUT~1\FlashGet\fgiebar.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM95\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{D6E814A0-E0C5-11d4-8D29-0050BA6940E3}
ButtonText = FlashGet : C:\COMPUT~1\FlashGet\flashget.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\system32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ATITool "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandFrom

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\ExpandTo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ATI CATALYST System Tray.lnk
backup C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup
location Common Startup
item ATI CATALYST System Tray
backup C:\WINDOWS\pss\ATI CATALYST System Tray.lnkCommon Startup
location Common Startup
item ATI CATALYST System Tray

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DllCmd32.lnk
backup C:\WINDOWS\pss\DllCmd32.lnkCommon Startup
location Common Startup
item DllCmd32
backup C:\WINDOWS\pss\DllCmd32.lnkCommon Startup
location Common Startup
item DllCmd32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet 3100 Status.lnk
backup C:\WINDOWS\pss\HP LaserJet 3100 Status.lnkCommon Startup
location Common Startup
item HP LaserJet 3100 Status
backup C:\WINDOWS\pss\HP LaserJet 3100 Status.lnkCommon Startup
location Common Startup
item HP LaserJet 3100 Status

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item Microsoft Office
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~2\Office\OSA9.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Me^Start Menu^Programs^Startup^Adobe Gamma.lnk
backup C:\WINDOWS\pss\Adobe Gamma.lnkStartup
location Startup
command C:\PROGRA~1\COMMON~1\Adobe\Calibration\Adobe Gamma Loader.exe
item Adobe Gamma
backup C:\WINDOWS\pss\Adobe Gamma.lnkStartup
location Startup
command C:\PROGRA~1\COMMON~1\Adobe\Calibration\Adobe Gamma Loader.exe
item Adobe Gamma

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item
hkey HKLM
command
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATICCC
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cli
hkey HKLM
command "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cli
hkey HKLM
command "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ATIPTA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item atiptaxx
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DiskeeperSystray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DkIcon
hkey HKLM
command "C:\Computer Applications\Diskeeper\DkIcon.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DkIcon
hkey HKLM
command "C:\Computer Applications\Diskeeper\DkIcon.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\DVDLauncher
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DVDLauncher
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item DVDLauncher
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ISUSPM Startup
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISUSPM
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ISUSPM
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item iTunesHelper
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load
key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item
hkey HKCU
command
inimapping 1
key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item
hkey HKCU
command
inimapping 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command ;"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command ;"C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SoundMAXPnP
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item smax4pnp
hkey HKLM
command C:\Program Files\Analog Devices\Core\smax4pnp.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item smax4pnp
hkey HKLM
command C:\Program Files\Analog Devices\Core\smax4pnp.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SymNetDrv\SNDMon.exe /Consumer
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKLM
command C:\PROGRA~1\SymNetDrv\SNDMon.exe /Consumer
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Window Washer
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wwDisp
hkey HKCU
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wwDisp
hkey HKCU
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoCDBurning 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700} 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
NoRecentDocsNetHood
NoStrCmpLogical
NoSMMyPictures
NoNetworkConnections
NoUserNameInStartMenu

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\system32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\system32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 06/18/2006 9:20:16 PM

and heres my find3m log:

FIND FILES - 06/18/2006 21:24:40.14
A copy of this report is located at C:\find3M-LOG.txt

= = = = = = = = = = = = = = = = = = = = = =

"C:\WINDOWS\SYSTEM32\asuninst.exe" _ 2006-04-06 _ 10:54:38 _ 72.00 K _ A....
"C:\WINDOWS\SYSTEM32\ati2cqag.dll" _ 2006-03-21 _ 20:12:24 _ 252.00 K _ A....
"C:\WINDOWS\SYSTEM32\ati2dvag.dll" _ 2006-03-21 _ 20:56:42 _ 251.50 K _ A....
"C:\WINDOWS\SYSTEM32\ati2edxx.dll" _ 2006-03-21 _ 20:50:22 _ 41.00 K _ A....
"C:\WINDOWS\SYSTEM32\ati2evxx.dll" _ 2006-03-21 _ 20:50:10 _ 60.00 K _ A....
"C:\WINDOWS\SYSTEM32\ati2evxx.exe" _ 2006-03-21 _ 20:48:56 _ 396.00 K _ A....
"C:\WINDOWS\SYSTEM32\Ati2mdxx.exe" _ 2006-03-21 _ 20:50:30 _ 25.50 K _ A....
"C:\WINDOWS\SYSTEM32\ati3duag.dll" _ 2006-03-21 _ 20:40:12 _ 2.54 M _ A....
"C:\WINDOWS\SYSTEM32\ATIDDC.DLL" _ 2006-03-21 _ 20:48:18 _ 52.00 K _ A....
"C:\WINDOWS\SYSTEM32\ATIDEMGR.dll" _ 2006-03-21 _ 19:38:46 _ 280.00 K _ A....
"C:\WINDOWS\SYSTEM32\atiiiexx.dll" _ 2006-03-21 _ 20:42:24 _ 300.00 K _ A....
"C:\WINDOWS\SYSTEM32\atikvmag.dll" _ 2006-03-21 _ 20:18:34 _ 148.00 K _ A....
"C:\WINDOWS\SYSTEM32\atioglx1.dll" _ 2006-03-21 _ 20:33:02 _ 6.38 M _ A....
"C:\WINDOWS\SYSTEM32\atioglxx.dll" _ 2006-03-21 _ 20:24:30 _ 4.79 M _ A....
"C:\WINDOWS\SYSTEM32\atipdlxx.dll" _ 2006-03-21 _ 20:50:50 _ 112.00 K _ A....
"C:\WINDOWS\SYSTEM32\atitvo32.dll" _ 2006-03-21 _ 20:17:54 _ 17.00 K _ A....
"C:\WINDOWS\SYSTEM32\ativvaxx.dll" _ 2006-03-21 _ 20:33:40 _ 1.08 M _ A....
"C:\WINDOWS\SYSTEM32\mshtml.dll" _ 2006-03-23 _ 13:32:42 _ 2.91 M _ A....
"C:\WINDOWS\SYSTEM32\Oemdspif.dll" _ 2006-03-21 _ 20:50:36 _ 76.00 K _ A....
"C:\WINDOWS\SYSTEM32\shdocvw.dll" _ 2006-03-30 _ 02:16:04 _ 1.42 M _ A....
"C:\WINDOWS\SYSTEM32\SIntf16.dll" _ 2006-05-07 _ 14:02:20 _ 11.78 K _ A....
"C:\WINDOWS\SYSTEM32\SIntf32.dll" _ 2006-05-07 _ 14:02:20 _ 16.81 K _ A....
"C:\WINDOWS\SYSTEM32\SIntfNT.dll" _ 2006-05-07 _ 14:02:20 _ 21.33 K _ A....
"C:\WINDOWS\SYSTEM32\urlmon.dll" _ 2006-03-18 _ 04:09:38 _ 599.00 K _ A....
"C:\WINDOWS\SYSTEM32\xpsp3res.dll" _ 2006-03-29 _ 18:00:14 _ 16.00 K _ A....
"C:\WINDOWS\DIIUnin.exe" _ 2006-05-07 _ 12:25:26 _ 92.00 K _ A....
"C:\WINDOWS\Setup1.exe" _ 2006-05-16 _ 18:04:06 _ 244.00 K _ .....
"C:\WINDOWS\ST6UNST.EXE" _ 2006-05-16 _ 18:04:06 _ 71.50 K _ A....
"C:\Documents and Settings\Me\Application Data\Mozilla" _ 2006-06-12 _ 18:45:20 _ _ .D...

Ried · 06-19-2006, 10:28 PM

Hi,

I'm not seeing anything in these logs. How is your system behaving now?

anksmashpunk · 06-19-2006, 10:50 PM

the only problem i am having now is that ewido is freezing up at precisely 26.1% every time on fast system scan. At the point at which it freezes, it says currently scanning memory and below that it says [1912] VM_012B0000.

i have ewido version 3.5 with the newest spyware definitions and such. its wierd because i wasnt having this problem before.

edit: by the way, ewido works perfectly without freezing if i run it in safe mode.

heres a new hijack this log if you need it:

Logfile of HijackThis v1.99.1
Scan saved at 9:51:59 PM, on 06/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATITool\ATITool.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Computer Applications\hijack this\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s
O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

Ried · 06-20-2006, 08:50 AM

Hello anksmashpunk,

I believe Wareout is still present on this system. Let's see if the following will allow the FixWareout tool to work properly:

Download to your desktop, extract to C:\Windows\system32\ & run this http://homepage.ntlworld.com/spencer...XPProfiles.exe.

Now, run FixWareout again and post the log here please.

anksmashpunk · 06-21-2006, 12:32 AM

i downloaded xpprofiles and extracted it to system32. then i ran fixwareout again. did i miss anything?

heres the new fixwareout log:

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Misc files
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM

locate.com and xfind.com are there in that folder so im not sure why it wont execute them ;\

sUBs · 06-21-2006, 01:19 AM

Please try this...

Copy both locate.com and xfind.com to the System32 folder. If that still fails to work, we'll have to use an alternate method.

anksmashpunk · 06-22-2006, 07:26 PM

here is my new fixwareout log:

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Misc files
Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM
Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM

sUBs · 06-22-2006, 11:05 PM

Download and run Blacklight

Note that you must have local administrative privileges to run the program.

Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this

When it finishes, click Next. You may get a screen similar to the picture below. Click on Close

BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log

anksmashpunk · 06-23-2006, 10:14 PM

heres the log:

06/23/06 20:19:15 [Info]: BlackLight Engine 1.0.41 initialized
06/23/06 20:19:15 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/23/06 20:19:15 [Note]: 7019 4
06/23/06 20:19:15 [Note]: 7005 0
06/23/06 20:19:23 [Note]: 7006 0
06/23/06 20:19:23 [Note]: 7011 1808
06/23/06 20:19:23 [Note]: 7026 0
06/23/06 20:19:24 [Note]: 7026 0
06/23/06 20:19:27 [Note]: FSRAW library version 1.7.1018
06/23/06 21:13:03 [Note]: 7007 0

it didnt find anything

sUBs · 06-24-2006, 09:00 AM

It's a bit consoling that Blacklight came up empty handed. However, I'm still troubled by Fixwareout's log. Tell you what. I'm gonna give you a revised version of fixwareout. Unlike the earlier version, this one will not be dependant on locate.com or xfind.com. Instead it shall use the native executables found in Windows XP.

Download the file attached to this post - fixwareout_revised.for.WinNT.only.zip

Double clicking the executable within, will delete/overwrite the existing folder located at C:\fixwareout\
Follow the prompts & reboot. It shall produce a similar log that you should post back here.

I shall also require a fresh HJT log. Kindly advise me as to how the machine is behaving now.

anksmashpunk · 06-24-2006, 01:23 PM

it seemed to work this time

heres the fixwareout log:

Fixwareout ver 1.003
Last edited 04/26/2006
Post this report in the forums please

Reg Entries that were deleted
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is lagitamate

»»»»» Search by size and names...
08/04/2004 03:00 AM 44,032 IPSEC6.EXE
08/04/2004 03:00 AM 4,096 NDDEAPIR.EXE
08/04/2004 03:00 AM 51,200 SYNCAPP.EXE
08/04/2004 03:00 AM 4,096 UNLODCTR.EXE
08/04/2004 03:00 AM 4,096 ACTMOVIE.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal

and heres my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:16:47 PM, on 06/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATITool\ATITool.exe
C:\Computer Applications\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s
O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

i just tried running ewido again and it didnt freeze so right now i cant think of a single problem with the way my computer is running right now :]. Thank you very much

sUBs · 06-24-2006, 01:35 PM

Do not delete any of these files. All of them are legit

08/04/2004 03:00 AM 44,032 IPSEC6.EXE
08/04/2004 03:00 AM 4,096 NDDEAPIR.EXE
08/04/2004 03:00 AM 51,200 SYNCAPP.EXE
08/04/2004 03:00 AM 4,096 UNLODCTR.EXE
08/04/2004 03:00 AM 4,096 ACTMOVIE.EXE

I need to test out another theory. Please download & install - HaxFix.EXE.
During installation, please select these options:

Create a desktop icon
Launch HaxFix

When Haxfix starts, a red DOS window will open.
Select the option to - Make logfile - Type 1 & press`Enter'.
Haxfix will produce a log for you to post back here.

06-16-2006, 12:16 PM	#1 (permalink)
anksmashpunk Registered User Join Date: Jun 2006 Posts: 17 OS: Windows XP SP2	Firefox/norton/program crashes recently several programs have been giving me trouble. firefox will ALWAYS crash when trying to watch youtube videos (but not google videos). Also, i get this annoying shockwave plugine rror where it strongly advises me to close and restart firefox. Sometimes when i restart my computer i will get a symantec user session error that makes it close and i have to restart ccapp.exe manually. Also, several programs that i use have been acting wierd. I use REG supreme to clean up bad registry files but for some reason it does not work anymore. It just freezes. Also, when i try to scan my registry with CCleaner it doesn't freeze but it does hang for like 5 seconds before it begins working and when it hits 84%. Heres my log Logfile of HijackThis v1.99.1 Scan saved at 9:50:33 AM, on 06/16/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\ATI Technologies\ATITool\ATITool.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Computer Applications\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Computer Applications\hijack this\HijackThis.exe C:\PROGRA~1\MOZILLA FIREFOX\FIREFOX.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts: localhost 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15 O17 - HKLM\System\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.115.4,85.255.112.15 O17 - HKLM\System\CS1\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

06-16-2006, 09:44 PM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. You may want to print out these instructions for reference, since you will have to restart your computer during the fix. Download FixWareout from one of these sites: http://downloads.subratam.org/Fixwareout.exe http://swandog46.geekstogo.com/Fixwareout.exe Save it to your desktop and run it. Click Next, then Install. Make sure 'Run fixit' is checked and click Finish. The fix will begin. Follow the prompts. You will be asked to reboot your computer. Your system may take longer than usual to load - this is normal. Wait until your desktop loads. A notepad file called report.txt should open up. Post that log here along with a new HijackThis log. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

06-17-2006, 10:51 AM	#3 (permalink)
anksmashpunk Registered User Join Date: Jun 2006 Posts: 17 OS: Windows XP SP2	here is the fixwareout report: Fixwareout ver 1.003 Last edited 04/26/2006 Post this report in the forums please Reg Entries that were deleted HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F3FD63149DE6-B1BB-C884-8A3E-5F7DDACC{ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\nevmd HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM "dmven.exe"=- ... PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Example ipsec6.exe is lagitamate »»»»» Search by size and names... Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM »»»»» Misc files Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM »»»»» Checking for older varients covered by the Rem3 tool »»»»» Search five digit cs, dm and jb files This WILL/CAN also list Legit Files, Submit them at Virustotal Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM and here is the new hijack this log: Logfile of HijackThis v1.99.1 Scan saved at 9:48:36 AM, on 06/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATITool\ATITool.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Computer Applications\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Computer Applications\hijack this\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15 O17 - HKLM\System\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.115.4,85.255.112.15 O17 - HKLM\System\CS1\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15 O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe EDIT: i just checked and CCleaner is no longer hanging at 0% and 84%. Also, RegSupreme doesnt freeze every time I run it. :] I have yet to check if firefox still crashes and if norton still gets that error. Edit #2: Firefox also isnt crashing anymore while watching youtube videos and i'm not getting those shockwave plugin errors. Last edited by anksmashpunk; 06-17-2006 at 11:12 AM.

06-17-2006, 05:47 PM	#4 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Something went wrong there. I want you to go to c:\fixwareout and see if you can find the locate.com file in the FindT folder. If not, extract the install file again by downloading the fixwareout.exe file again. Otherwise, just double click on the FixIt.bat file in c:\fixwareout\ folder. Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you checked the last one: O17 - HKLM\System\CCS\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15 O17 - HKLM\System\CCS\Services\Tcpip\..\{2810EB22-763D-4D0C-9450-64BBD1758685}: NameServer = 85.255.115.4,85.255.112.15 O17 - HKLM\System\CS1\Services\Tcpip\..\{02B0A09E-0184-4AA6-BD3C-7E2F459119D2}: NameServer = 85.255.115.4,85.255.112.15 Restart and post a new HijackThis and the report.txt file from Fixwareout. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

06-18-2006, 04:32 PM	#6 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Hi anksmashpunk, The tool needs a live internet connection to run, are you remaining connected to the internet when running FixWareOut? ------------------------------------------ We need an online scan as well to see if anything else is lurking about your system. Perform an online scan using Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Check Now** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Enter your e-mail address, country, and state & click Scan Now* ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Please ignore any entry it finds and wants you to buy the program for removal as we will address this later. Click on see report. Then click Save report Please include those results along with a new HijackThis log in your next reply. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-17-2006, 06:18 PM	#5 (permalink)
anksmashpunk Registered User Join Date: Jun 2006 Posts: 17 OS: Windows XP SP2	heres my new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 5:15:46 PM, on 06/17/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATITool\ATITool.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Computer Applications\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Computer Applications\hijack this\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Fixwareout report.txt: Fixwareout ver 1.003 Last edited 04/26/2006 Post this report in the forums please Reg Entries that were deleted ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Example ipsec6.exe is lagitamate »»»»» Search by size and names... Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM »»»»» Misc files Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM »»»»» Checking for older varients covered by the Rem3 tool »»»»» Search five digit cs, dm and jb files This WILL/CAN also list Legit Files, Submit them at Virustotal Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM

06-18-2006, 06:48 PM	#7 (permalink)
anksmashpunk Registered User Join Date: Jun 2006 Posts: 17 OS: Windows XP SP2	yeah i am connected to the internet when running fixwareout i ran the panda activescan heres the report: Incident Status Location Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.atdmt.com/] Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.doubleclick.net/] Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.2o7.net/] Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.atwola.com/] Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.questionmarket.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.advertising.com/] Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.statcounter.com/] Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[ad.yieldmanager.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.as-us.falkag.net/] Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.valueclick.com/] Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.ads.pointroll.com/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.zedo.com/] Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.serving-sys.com/] Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.hitbox.com/] Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.qksrv.net/] Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.apmebf.com/] Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.maxserving.com/] Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Me\Application Data\Mozilla\Firefox\Profiles\lkbcx1wk.default\cookies.txt[.realmedia.com/] Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Me\Cookies\me@advertising[1].txt Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Me\Cookies\me@doubleclick[1].txt Adware:Adware/Trebuh Not disinfected C:\WINDOWS\SYSTEM32\csfti.exe Virus:Trj/Ruins.Y Disinfected C:\WINDOWS\SYSTEM32\dmven.exe and heres my new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 5:44:47 PM, on 06/18/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATITool\ATITool.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Computer Applications\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Computer Applications\hijack this\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe when i ran panda activescan i got a popup that i had some sort of trojan and it said the filename was windows\system32\howiper.exe or something like that.

06-18-2006, 08:47 PM	#8 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Hello anksmashpunk, I don't like the fact that FixWareout didn't run properly nor Panda's failure to detect howiper.exe. Download this file - Find3M.zip It's important that you extract the contents to a new folder. Do not run it yet. Download WinPFind and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Do Not run it yet. ------------------------------------- Next, please reboot your computer in Safe Mode by doing the following: 1) Restart your computer 2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8. 3) Instead of Windows loading as normal, a menu should appear 4) Use the up arrow key to highlight Safe Mode and press Enter. ------------------------------------- Delete the following files: C:\WINDOWS\SYSTEM32\ csfti.exe C:\WINDOWS\SYSTEM32\ dmven.exe C:\WINDOWS\SYSTEM32\ howiper.exe ------------------------------------- Inside C:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.! Once the Scan is Complete it will make a txt file (log) of what was found. Save that log and post it here. ------------------------------------- Restart one more time back into Normal Mode. ------------------------------------- Double click on Find3M.bat & it shall produce a logfile for you to post back here along with the WinPFind .txt __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-19-2006, 10:28 PM	#10 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Hi, I'm not seeing anything in these logs. How is your system behaving now? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-19-2006, 10:50 PM	#11 (permalink)
anksmashpunk Registered User Join Date: Jun 2006 Posts: 17 OS: Windows XP SP2	the only problem i am having now is that ewido is freezing up at precisely 26.1% every time on fast system scan. At the point at which it freezes, it says currently scanning memory and below that it says [1912] VM_012B0000. i have ewido version 3.5 with the newest spyware definitions and such. its wierd because i wasnt having this problem before. edit: by the way, ewido works perfectly without freezing if i run it in safe mode. heres a new hijack this log if you need it: Logfile of HijackThis v1.99.1 Scan saved at 9:51:59 PM, on 06/19/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATITool\ATITool.exe C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Computer Applications\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Computer Applications\hijack this\HijackThis.exe C:\Program Files\Mozilla Firefox\firefox.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe Last edited by anksmashpunk; 06-19-2006 at 11:01 PM.

06-20-2006, 08:50 AM	#12 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,530 OS: WinXP and Vista	Hello anksmashpunk, I believe Wareout is still present on this system. Let's see if the following will allow the FixWareout tool to work properly: Download to your desktop, extract to C:\Windows\system32\ & run this http://homepage.ntlworld.com/spencer...XPProfiles.exe. Now, run FixWareout again and post the log here please. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

06-21-2006, 12:32 AM	#13 (permalink)
anksmashpunk Registered User Join Date: Jun 2006 Posts: 17 OS: Windows XP SP2	i downloaded xpprofiles and extracted it to system32. then i ran fixwareout again. did i miss anything? heres the new fixwareout log: Fixwareout ver 1.003 Last edited 04/26/2006 Post this report in the forums please Reg Entries that were deleted ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Example ipsec6.exe is lagitamate »»»»» Search by size and names... Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM »»»»» Misc files Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM »»»»» Checking for older varients covered by the Rem3 tool »»»»» Search five digit cs, dm and jb files This WILL/CAN also list Legit Files, Submit them at Virustotal Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM locate.com and xfind.com are there in that folder so im not sure why it wont execute them ;\

06-21-2006, 01:19 AM	#14 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,322 OS: N/A	Please try this... Copy both locate.com and xfind.com to the System32 folder. If that still fails to work, we'll have to use an alternate method. __________________ Question - what have you done for the community today?

06-22-2006, 07:26 PM	#15 (permalink)
anksmashpunk Registered User Join Date: Jun 2006 Posts: 17 OS: Windows XP SP2	here is my new fixwareout log: Fixwareout ver 1.003 Last edited 04/26/2006 Post this report in the forums please Reg Entries that were deleted ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Example ipsec6.exe is lagitamate »»»»» Search by size and names... Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM »»»»» Misc files Cannot execute C:\FIXWAREOUT\FINDT\XFIND.COM »»»»» Checking for older varients covered by the Rem3 tool »»»»» Search five digit cs, dm and jb files This WILL/CAN also list Legit Files, Submit them at Virustotal Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM Cannot execute C:\FIXWAREOUT\FINDT\LOCATE.COM

06-22-2006, 11:05 PM	#16 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,322 OS: N/A	Download and run Blacklight Note that you must have local administrative privileges to run the program. Click Scan. BlackLight will use Windows Explorer (the desktop process) to scan for hidden items. Your anti-virus software or personal firewall might display a warning that says Blacklight (blbeta.exe) is trying to manipulate the Windows Explorer process (explorer.exe). If you want to continue the scan, you should allow BlackLight to do this When it finishes, click Next. You may get a screen similar to the picture below. Click on Close BlackLight beta would create a log file "fsbl-<date-and-time>.log". By default, the log file is in the same directory as the executable. Please post the log __________________ Question - what have you done for the community today?

06-23-2006, 10:14 PM	#17 (permalink)
anksmashpunk Registered User Join Date: Jun 2006 Posts: 17 OS: Windows XP SP2	heres the log: 06/23/06 20:19:15 [Info]: BlackLight Engine 1.0.41 initialized 06/23/06 20:19:15 [Info]: OS: 5.1 build 2600 (Service Pack 2) 06/23/06 20:19:15 [Note]: 7019 4 06/23/06 20:19:15 [Note]: 7005 0 06/23/06 20:19:23 [Note]: 7006 0 06/23/06 20:19:23 [Note]: 7011 1808 06/23/06 20:19:23 [Note]: 7026 0 06/23/06 20:19:24 [Note]: 7026 0 06/23/06 20:19:27 [Note]: FSRAW library version 1.7.1018 06/23/06 21:13:03 [Note]: 7007 0 it didnt find anything

06-24-2006, 09:00 AM	#18 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,322 OS: N/A	It's a bit consoling that Blacklight came up empty handed. However, I'm still troubled by Fixwareout's log. Tell you what. I'm gonna give you a revised version of fixwareout. Unlike the earlier version, this one will not be dependant on locate.com or xfind.com. Instead it shall use the native executables found in Windows XP. Download the file attached to this post - fixwareout_revised.for.WinNT.only.zip Double clicking the executable within, will delete/overwrite the existing folder located at C:\fixwareout\ Follow the prompts & reboot. It shall produce a similar log that you should post back here. I shall also require a fresh HJT log. Kindly advise me as to how the machine is behaving now. __________________ Question - what have you done for the community today? Last edited by sUBs; 06-25-2006 at 06:27 AM.

06-24-2006, 01:23 PM	#19 (permalink)
anksmashpunk Registered User Join Date: Jun 2006 Posts: 17 OS: Windows XP SP2	it seemed to work this time heres the fixwareout log: Fixwareout ver 1.003 Last edited 04/26/2006 Post this report in the forums please Reg Entries that were deleted ... Microsoft (R) Windows Script Host Version 5.6 Random Runs removed from HKLM ... PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. Example ipsec6.exe is lagitamate »»»»» Search by size and names... 08/04/2004 03:00 AM 44,032 IPSEC6.EXE 08/04/2004 03:00 AM 4,096 NDDEAPIR.EXE 08/04/2004 03:00 AM 51,200 SYNCAPP.EXE 08/04/2004 03:00 AM 4,096 UNLODCTR.EXE 08/04/2004 03:00 AM 4,096 ACTMOVIE.EXE »»»»» Misc files »»»»» Checking for older varients covered by the Rem3 tool »»»»» Search five digit cs, dm and jb files This WILL/CAN also list Legit Files, Submit them at Virustotal and heres my new HJT log: Logfile of HijackThis v1.99.1 Scan saved at 12:16:47 PM, on 06/24/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe C:\Computer Applications\ewido anti-malware\ewidoctrl.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\ATI Technologies\ATITool\ATITool.exe C:\Computer Applications\hijack this\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\COMPUT~1\FlashGet\jccatch.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\fgiebar.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ATITool] "C:\Program Files\ATI Technologies\ATITool\ATITool.exe" -s O8 - Extra context menu item: Download All by FlashGet - C:\Computer Applications\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\Computer Applications\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\COMPUT~1\FlashGet\flashget.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing) O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Computer Applications\Diskeeper\DkService.exe O23 - Service: ewido security suite control - ewido networks - C:\Computer Applications\ewido anti-malware\ewidoctrl.exe O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LiveUpdate\LuComServer_3_0.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcDataSrv.exe O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Computer Applications\SiSoft Sandra\RpcSandraSrv.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\Script Blocking\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe i just tried running ewido again and it didnt freeze so right now i cant think of a single problem with the way my computer is running right now :]. Thank you very much

06-24-2006, 01:35 PM	#20 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,322 OS: N/A	Do not delete any of these files. All of them are legit 08/04/2004 03:00 AM 44,032 IPSEC6.EXE 08/04/2004 03:00 AM 4,096 NDDEAPIR.EXE 08/04/2004 03:00 AM 51,200 SYNCAPP.EXE 08/04/2004 03:00 AM 4,096 UNLODCTR.EXE 08/04/2004 03:00 AM 4,096 ACTMOVIE.EXE I need to test out another theory. Please download & install - HaxFix.EXE. During installation, please select these options: Create a desktop icon Launch HaxFix When Haxfix starts, a red DOS window will open. Select the option to - Make logfile - Type 1 & press`Enter'. Haxfix will produce a log for you to post back here. __________________ Question - what have you done for the community today?