|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
07-07-2005, 05:05 PM
|
#1 (permalink) |
|
Member
Join Date: Jul 2005
Posts: 22
OS: xp
|
w32.desktophijack virus
I was told to come here for help...I hope someone could help me. I have tried so much to try to delete this w32.desktophijack virus attached to my wininet.dll file. I shut down my system restore, updated my norton utilities with live update, scanned the computer and found that file and nnet.exe which has the trojan.desktophijack.B virus also. They were not able to be deleted or quarentined. I then went to download another version of wininet.dll and replace the infected virus and it told me the file was password protected and could not be deleted. I have tried everything and still can not delete this virus. Please help...This is my log:
Logfile of HijackThis v1.99.1 Scan saved at 7:59:18 PM, on 7/7/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\windows\system\hpsysdrv.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\LTMSG.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\System32\hookdump.exe C:\Program Files\interMute\PopSubtract\PopSub.exe C:\Program Files\interMute\SpamSubtract\SpamSub.exe C:\WINDOWS\webshots.scr C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Roxio\GoBack\GBPoll.exe C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe O4 - Startup: AutoTBar.exe O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe |
|
     |
| Sponsored Links |
|
07-08-2005, 01:26 AM
|
#2 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,965
OS: Windows XP-Pro SP2
  |
Download smitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop. Place a shortcut to Panda ActiveScan on your desktop. Please download the trial version of Ewido Security Suite here: http://www.ewido.net/en/download/ Please read Ewido Setup Instructions Install it, and update the definitions to the newest files. Do NOT run a scan yet. If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates: Ad-Aware SE Setup Don't run it yet! Next, please reboot your computer in SafeMode by doing the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. Open Ad-aware and do a full scan. Remove all it finds. Run Ewido:
Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present. Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked! Save the scan log and post it along with a new HijackThis Log and the Ewido Log by using Add Reply. Let us know if any problems persist.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
07-08-2005, 01:07 PM
|
#3 (permalink) |
|
Member
Join Date: Jul 2005
Posts: 22
OS: xp
|
OK...I did what you said and now I have a white screen and I can not go to my display options. The good news is that the virus is no longer atached to my wininet.dll file...Thanks for that...what can I do to fix my desktop???
You guys are awesome...thanks... here are my logs... Logfile of HijackThis v1.99.1 Scan saved at 1  37 PM, on 7/8/2005Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe C:\WINDOWS\explorer.exe C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdocsv.dll/blank.htm R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://shdocsv.dll/asst.htm R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [intel32.exe] C:\WINDOWS\System32\intel32.exe O4 - HKLM\..\Run: [Fast Start] C:\WINDOWS\system32\svcnt.exe home O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe ewido security suite - Scan report --------------------------------------------------------- + Created on: 2:31:13 PM, 7/8/2005 + Report-Checksum: DB25F73 + Scan result: C:\Documents and Settings\Default User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counter.jpg-4e340213-457b0654.zip/Gummy.class -> Trojan.Java.Femad : Cleaned with backup C:\Documents and Settings\Default User\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup C:\Documents and Settings\Default User\Cookies\owner@hekate.porntrack[1].txt -> Spyware.Cookie.Porntrack : Cleaned with backup C:\Documents and Settings\Default User\Local Settings\Temp\p2psetup.exe -> Spyware.P2PNetworking : Cleaned with backup C:\Documents and Settings\Default User\Local Settings\Temp\temp.fr5D4E\mybar\1.bin\MYBAR.DLL -> Spyware.MyWay : Cleaned with backup C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup C:\Program Files\Internet Explorer\ggntcrid.exe -> TrojanDownloader.Agent.eq : Cleaned with backup C:\Program Files\Online Services\AOL90US\comps\coach\aolcinst.exe/.\Data\player\aolnysev.exe -> Heuristic.Win32.Hijacker1 : Cleaned with backup C:\RECYCLER\NPROTECT\00186920.exe -> TrojanDownloader.Small.bbc : Cleaned with backup C:\RECYCLER\NPROTECT\00187467.TXT -> Spyware.Cookie.2o7 : Cleaned with backup C:\RECYCLER\NPROTECT\00187470.TXT -> Spyware.Cookie.Addynamix : Cleaned with backup C:\RECYCLER\NPROTECT\00187471.TXT -> Spyware.Cookie.Pointroll : Cleaned with backup C:\RECYCLER\NPROTECT\00187473.TXT -> Spyware.Cookie.Adtech : Cleaned with backup C:\RECYCLER\NPROTECT\00187474.TXT -> Spyware.Cookie.Advertising : Cleaned with backup C:\RECYCLER\NPROTECT\00187476.TXT -> Spyware.Cookie.Falkag : Cleaned with backup C:\RECYCLER\NPROTECT\00187477.TXT -> Spyware.Cookie.Atdmt : Cleaned with backup C:\RECYCLER\NPROTECT\00187478.TXT -> Spyware.Cookie.Bfast : Cleaned with backup C:\RECYCLER\NPROTECT\00187479.TXT -> Spyware.Cookie.Bluestreak : Cleaned with backup C:\RECYCLER\NPROTECT\00187481.TXT -> Spyware.Cookie.Serving-sys : Cleaned with backup C:\RECYCLER\NPROTECT\00187484.TXT -> Spyware.Cookie.Centrport : Cleaned with backup C:\RECYCLER\NPROTECT\00187492.TXT -> Spyware.Cookie.Bridgetrack : Cleaned with backup C:\RECYCLER\NPROTECT\00187494.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187495.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187496.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187497.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187498.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187499.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187500.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187501.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187502.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187503.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187504.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187505.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187506.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187507.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187508.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187509.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187511.TXT -> Spyware.Cookie.Coremetrics : Cleaned with backup C:\RECYCLER\NPROTECT\00187512.TXT -> Spyware.Cookie.Doubleclick : Cleaned with backup C:\RECYCLER\NPROTECT\00187513.TXT -> Spyware.Cookie.Ru4 : Cleaned with backup C:\RECYCLER\NPROTECT\00187514.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup C:\RECYCLER\NPROTECT\00187515.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup C:\RECYCLER\NPROTECT\00187516.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup C:\RECYCLER\NPROTECT\00187518.TXT -> Spyware.Cookie.Fastclick : Cleaned with backup C:\RECYCLER\NPROTECT\00187521.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup C:\RECYCLER\NPROTECT\00187522.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup C:\RECYCLER\NPROTECT\00187523.TXT -> Spyware.Cookie.Hotlog : Cleaned with backup C:\RECYCLER\NPROTECT\00187524.TXT -> Spyware.Cookie.Linksynergy : Cleaned with backup C:\RECYCLER\NPROTECT\00187528.TXT -> Spyware.Cookie.Mediaplex : Cleaned with backup C:\RECYCLER\NPROTECT\00187529.TXT -> Spyware.Cookie.Overture : Cleaned with backup C:\RECYCLER\NPROTECT\00187530.TXT -> Spyware.Cookie.Paycounter : Cleaned with backup C:\RECYCLER\NPROTECT\00187531.TXT -> Spyware.Cookie.Overture : Cleaned with backup C:\RECYCLER\NPROTECT\00187533.TXT -> Spyware.Cookie.Questionmarket : Cleaned with backup C:\RECYCLER\NPROTECT\00187536.TXT -> Spyware.Cookie.Advertising : Cleaned with backup C:\RECYCLER\NPROTECT\00187538.TXT -> Spyware.Cookie.Serving-sys : Cleaned with backup C:\RECYCLER\NPROTECT\00187539.TXT -> Spyware.Cookie.Sexlist : Cleaned with backup C:\RECYCLER\NPROTECT\00187540.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187541.TXT -> Spyware.Cookie.Spylog : Cleaned with backup C:\RECYCLER\NPROTECT\00187543.TXT -> Spyware.Cookie.Webtrendslive : Cleaned with backup C:\RECYCLER\NPROTECT\00187544.TXT -> Spyware.Cookie.Targetnet : Cleaned with backup C:\RECYCLER\NPROTECT\00187545.TXT -> Spyware.Cookie.Tradedoubler : Cleaned with backup C:\RECYCLER\NPROTECT\00187546.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup C:\RECYCLER\NPROTECT\00187547.TXT -> Spyware.Cookie.Tribalfusion : Cleaned with backup C:\RECYCLER\NPROTECT\00187548.TXT -> Spyware.Cookie.Valueclick : Cleaned with backup C:\RECYCLER\NPROTECT\00187549.TXT -> Spyware.Cookie.Weborama : Cleaned with backup C:\RECYCLER\NPROTECT\00187552.TXT -> Spyware.Cookie.Xxxcounter : Cleaned with backup C:\RECYCLER\NPROTECT\00187553.TXT -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup C:\RECYCLER\NPROTECT\00187554.TXT -> Spyware.Cookie.Adserver : Cleaned with backup C:\RECYCLER\NPROTECT\00187557.TXT -> Spyware.Cookie.2o7 : Cleaned with backup C:\RECYCLER\NPROTECT\00187560.TXT -> Spyware.Cookie.Addynamix : Cleaned with backup C:\RECYCLER\NPROTECT\00187561.TXT -> Spyware.Cookie.Pointroll : Cleaned with backup C:\RECYCLER\NPROTECT\00187563.TXT -> Spyware.Cookie.Adtech : Cleaned with backup C:\RECYCLER\NPROTECT\00187564.TXT -> Spyware.Cookie.Advertising : Cleaned with backup C:\RECYCLER\NPROTECT\00187566.TXT -> Spyware.Cookie.Falkag : Cleaned with backup C:\RECYCLER\NPROTECT\00187567.TXT -> Spyware.Cookie.Atdmt : Cleaned with backup C:\RECYCLER\NPROTECT\00187568.TXT -> Spyware.Cookie.Bfast : Cleaned with backup C:\RECYCLER\NPROTECT\00187569.TXT -> Spyware.Cookie.Bluestreak : Cleaned with backup C:\RECYCLER\NPROTECT\00187571.TXT -> Spyware.Cookie.Serving-sys : Cleaned with backup C:\RECYCLER\NPROTECT\00187574.TXT -> Spyware.Cookie.Centrport : Cleaned with backup C:\RECYCLER\NPROTECT\00187582.TXT -> Spyware.Cookie.Bridgetrack : Cleaned with backup C:\RECYCLER\NPROTECT\00187584.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187585.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187586.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187587.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187588.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187589.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187590.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187591.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187592.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187593.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187594.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187595.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187596.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187597.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187598.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187599.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187601.TXT -> Spyware.Cookie.Coremetrics : Cleaned with backup C:\RECYCLER\NPROTECT\00187602.TXT -> Spyware.Cookie.Doubleclick : Cleaned with backup C:\RECYCLER\NPROTECT\00187603.TXT -> Spyware.Cookie.Ru4 : Cleaned with backup C:\RECYCLER\NPROTECT\00187604.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup C:\RECYCLER\NPROTECT\00187605.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup C:\RECYCLER\NPROTECT\00187606.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup C:\RECYCLER\NPROTECT\00187608.TXT -> Spyware.Cookie.Fastclick : Cleaned with backup C:\RECYCLER\NPROTECT\00187611.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup C:\RECYCLER\NPROTECT\00187612.TXT -> Spyware.Cookie.Hitbox : Cleaned with backup C:\RECYCLER\NPROTECT\00187613.TXT -> Spyware.Cookie.Hotlog : Cleaned with backup C:\RECYCLER\NPROTECT\00187614.TXT -> Spyware.Cookie.Linksynergy : Cleaned with backup C:\RECYCLER\NPROTECT\00187618.TXT -> Spyware.Cookie.Mediaplex : Cleaned with backup C:\RECYCLER\NPROTECT\00187619.TXT -> Spyware.Cookie.Overture : Cleaned with backup C:\RECYCLER\NPROTECT\00187620.TXT -> Spyware.Cookie.Paycounter : Cleaned with backup C:\RECYCLER\NPROTECT\00187621.TXT -> Spyware.Cookie.Overture : Cleaned with backup C:\RECYCLER\NPROTECT\00187623.TXT -> Spyware.Cookie.Questionmarket : Cleaned with backup C:\RECYCLER\NPROTECT\00187626.TXT -> Spyware.Cookie.Advertising : Cleaned with backup C:\RECYCLER\NPROTECT\00187628.TXT -> Spyware.Cookie.Serving-sys : Cleaned with backup C:\RECYCLER\NPROTECT\00187629.TXT -> Spyware.Cookie.Sexlist : Cleaned with backup C:\RECYCLER\NPROTECT\00187630.TXT -> Spyware.Cookie.Sextracker : Cleaned with backup C:\RECYCLER\NPROTECT\00187631.TXT -> Spyware.Cookie.Spylog : Cleaned with backup C:\RECYCLER\NPROTECT\00187633.TXT -> Spyware.Cookie.Webtrendslive : Cleaned with backup C:\RECYCLER\NPROTECT\00187634.TXT -> Spyware.Cookie.Targetnet : Cleaned with backup C:\RECYCLER\NPROTECT\00187635.TXT -> Spyware.Cookie.Tradedoubler : Cleaned with backup C:\RECYCLER\NPROTECT\00187636.TXT -> Spyware.Cookie.Trafficmp : Cleaned with backup C:\RECYCLER\NPROTECT\00187637.TXT -> Spyware.Cookie.Tribalfusion : Cleaned with backup C:\RECYCLER\NPROTECT\00187638.TXT -> Spyware.Cookie.Valueclick : Cleaned with backup C:\RECYCLER\NPROTECT\00187639.TXT -> Spyware.Cookie.Weborama : Cleaned with backup C:\RECYCLER\NPROTECT\00187642.TXT -> Spyware.Cookie.Xxxcounter : Cleaned with backup C:\RECYCLER\NPROTECT\00187643.TXT -> Spyware.Cookie.Xxxtoolbar : Cleaned with backup C:\RECYCLER\NPROTECT\00187644.TXT -> Spyware.Cookie.Adserver : Cleaned with backup C:\WINDOWS\AIJLFJH.ini:jejzc -> TrojanDownloader.Agent.db : Cleaned with backup C:\WINDOWS\Downloaded Program Files\ActiveSecurity.ocx -> Not-A-Virus.VirTool.Collector : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.1\wladesk99x.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\ggntcrid.exe -> TrojanDownloader.Agent.eq : Cleaned with backup C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller : Cleaned with backup C:\WINDOWS\Downloaded Program Files\wladesk99x.exe -> Dialer.Generic : Cleaned with backup C:\WINDOWS\Downloaded Program Files\ZangoLib.dll -> Spyware.180Solutions : Cleaned with backup C:\WINDOWS\gds5.dll -> TrojanDownloader.Small.azf : Cleaned with backup C:\WINDOWS\ieyb32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup C:\WINDOWS\KPAPI32.DLL:anaci -> TrojanDownloader.Agent.db : Cleaned with backup C:\WINDOWS\mdm.ini:wizbs -> TrojanDownloader.Agent.ap : Cleaned with backup C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet : Cleaned with backup C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet : Cleaned with backup C:\WINDOWS\rblky.sys:merif -> TrojanDownloader.Agent.db : Cleaned with backup C:\WINDOWS\system32\config\systemprofile\Cookies\owner@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup C:\WINDOWS\system32\config\systemprofile\Cookies\owner@hekate.porntrack[1].txt -> Spyware.Cookie.Porntrack : Cleaned with backup ::Report End Incident Status Location Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\cdmxtras Adware:Adware/MyWay No disinfected C:\Program Files\MyWay Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared Adware:Adware/KeenValue No disinfected C:\Program Files\Common Files\SearchUpgrader Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\wupdsnff.exe Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvm*.dll Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Owner\Application Data\Lycos Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.??? Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys Adware:Adware/TopSpyware No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp Spyware:Spyware/RXToolbar No disinfected C:\Program Files\RXToolBar Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Default User\Local Settings\Temp\obie.exe Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ODAVG5YR\dd[1].exe Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll Spyware:Spyware/BetterInet No disinfected C:\Program Files\Common Files\SearchUpgrader\system.cfg Adware:Adware/TopSpyware No disinfected C:\Program Files\Windows Media Player\wmplayer.exe.tmp Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini Adware:Adware/KeenValue No disinfected C:\WINDOWS\browserxtras\pn\remove.exe Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\wupdsnff.exe |
|
|
|
|
07-09-2005, 02:56 AM
|
#5 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,420
OS: XP SP2
|
Download KillBox http://www.greyknight17.com/spy/KillBox.exe.
Reboot into Safe Mode Go into Add/Remove and uninstall the following if they exist: MyWay TVMedia RXToolbar SideSearch Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - Choose YES when informs you the file will be deleted on Reboot. Choose NO when it asks if you want to reboot): C:\WINDOWS\System32\hookdump.exe C:\WINDOWS\cdmxtras C:\Program Files\MyWay C:\Program Files\Common Files\Totem Shared C:\Program Files\Common Files\SearchUpgrader C:\WINDOWS\wupdsnff.exe C:\Documents and Settings\Owner\Application Data\tvm*.dll C:\Documents and Settings\Owner\Application Data\Lycos C:\WINDOWS\alchem.??? C:\WINDOWS\smdat32m.sys C:\Program Files\Windows Media Player\wmplayer.exe.tmp No disinfected C:\Program Files\RXToolBar C:\Documents and Settings\Default User\Local Settings\Temp\obie.exe C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ODAVG5YR\dd[1].exe C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll C:\Program Files\Common Files\SearchUpgrader\system.cfg C:\Program Files\Windows Media Player\wmplayer.exe.tmp C:\WINDOWS\alchem.ini C:\WINDOWS\browserxtras\pn\remove.exe C:\WINDOWS\inf\alchem.inf C:\WINDOWS\smdat32m.sys C:\WINDOWS\wupdsnff.exe Return the Normal Mode and run a New Panda Scan and a new HJT scan and post the results from both in your next post.
__________________
  |
|
|
|
|
07-09-2005, 09:55 AM
|
#6 (permalink) |
|
Member
Join Date: Jul 2005
Posts: 22
OS: xp
|
OK..Everything is still the same...
I did not have any of the options you told me to delete using killbox that had "documents and settings thatr started it. the options were not listed in my directories. I also did not have any of those options to add/remove in the first step. Also, should I fix problems when I do the hijackthis scan? here are my scan files: Incident Status Location Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\cdmxtras Adware:Adware/KeenValue No disinfected C:\Program Files\Common Files\SearchUpgrader Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvm*.dll Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Owner\Application Data\Lycos Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.in? Spyware:Spyware/RXToolbar No disinfected C:\Program Files\RXToolBar Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Default User\Local Settings\Temp\obie.exe Adware:Adware/Antivirus-gold No disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ODAVG5YR\dd[1].exe Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf Logfile of HijackThis v1.99.1 Scan saved at 12:50:17 PM, on 7/9/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\windows\system\hpsysdrv.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\LTMSG.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\interMute\PopSubtract\PopSub.exe C:\Program Files\interMute\SpamSubtract\SpamSub.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\webshots.scr C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Roxio\GoBack\GBPoll.exe C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Owner\Desktop\virus fix\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: AutoTBar.exe O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe |
|
|
|
|
07-09-2005, 03:53 PM
|
#7 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,965
OS: Windows XP-Pro SP2
|
Ok...lets try to correct this..
First, download and install CleanUp! but do not run it yet. *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Download the file located here.. http://www.bleepingcomputer.com/files/reg/smitfraud.reg Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: *Click "Options..." *Move the arrow down to "Custom CleanUp!" *Put a check next to the following:
Press the CleanUp! button to start the program. Reboot/logoff when prompted. Reboot into safe mode Run hijackthis and fix the following entrys.. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us10.hpwis.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us10.hpwis.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us10.hpwis.com/ O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) Now run that smitfraud.reg file I had you download. Allow it to merge into the registry. C:\Program Files\Common Files\SearchUpgrader <--delete that folder C:\Program Files\RXToolBar <--delete that folder Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINDOWS\cdmxtras C:\Documents and Settings\Owner\Application Data\tvm*.dll C:\WINDOWS\inf\alchem.in? C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll C:\WINDOWS\inf\alchem.inf **Note** After we run this pass I want you to check the Application Data folder. Delete anything that begins with tvm I also need you to search for any of the following files and delete them as well.. alchem.cab ALCHEM.EXE alchem.inf ALCHEM.INI Again..delete anything that begins with alchem Once back to normal windows....run the smitfraud.reg file again. Next go to Control Panel click Display > Desktop > Customize Desktop > Website > Uncheck "Security Info" if present. Then post another Panda scan log and an Ewido log..and let me know if you can change your desktop background and post the log from the following tool. Download Silent runners.Vbs http://www.silentrunners.org/ 1. Make sure you have any script blocking software disabled 2. Run the program. It will take a few minutes to complete. 3. Once complete it will produce a log named “StartupPrograms” with Your user and date in the filename. Open that txt file and posts it contents in your next post.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
07-10-2005, 08:13 PM
|
#8 (permalink) |
|
Member
Join Date: Jul 2005
Posts: 22
OS: xp
|
Well, my desktop is back to normal. When I click on my menus, the windows are still looking the same way my desktop did before. I don't know if you have an idea for that....but, thanks for all of your help////you really helped me a lot. Here are the scans:
--------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 8:14:13 PM, 7/10/2005 + Report-Checksum: 781D5CFA + Scan result: No infected objects found. ::Report End Incident Status Location Spyware:Spyware/Cydoor No disinfected C:\WINDOWS\cdmxtras Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvm*.dll Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Owner\Application Data\Lycos Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.in? Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll Spyware:Spyware/TVMedia No disinfected C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf "Silent Runners.vbs", revision 39, http://www.silentrunners.org/ Operating System: Windows XP Output limited to non-default values, except where indicated by "{++}" Startup items buried in registry: --------------------------------- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "RecordNow!" = (empty string) "NVIEW" = "rundll32.exe nview.dll,nViewLoadHook" [MS] "MoneyAgent" = ""C:\Program Files\Microsoft Money\System\mnyexpr.exe"" [MS] "MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++} "hpsysdrv" = "c:\windows\system\hpsysdrv.exe" ["Hewlett-Packard Company"] "HotKeysCmds" = "C:\WINDOWS\System32\hkcmd.exe" ["Intel Corporation"] "CamMonitor" = "c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe" [empty string] "HPHUPD05" = "C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" ["Hewlett-Packard"] "HPHmon05" = "C:\WINDOWS\System32\hphmon05.exe" ["Hewlett-Packard"] "KBD" = "C:\HP\KBD\KBD.EXE" ["Hewlett-Packard Company"] "UpdateManager" = ""C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r" ["Sonic Solutions"] "TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."] "AutoTKit" = "C:\hp\bin\AUTOTKIT.EXE" [null data] "Recguard" = "C:\WINDOWS\SMINST\RECGUARD.EXE" [empty string] "VTTimer" = "VTTimer.exe" ["S3 Graphics, Inc."] "AlcxMonitor" = "ALCXMNTR.EXE" ["Realtek Semiconductor Corp."] "LTMSG" = "LTMSG.exe 7" ["Agere Systems"] "PS2" = "C:\WINDOWS\system32\ps2.exe" ["Hewlett-Packard Company"] "Sunkist2k" = "C:\Program Files\Multimedia Card Reader\shwicon2k.exe" ["Alcor Micro, Corp."] "Lexmark X1100 Series" = ""C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"" ["Lexmark International, Inc."] "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"] "ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"] "GhostStartTrayApp" = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" ["Symantec Corporation"] "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"] "SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"] "QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."] "iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."] HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"] {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\ "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."] "{19CC43A1-6925-4B48-B292-830291F393A6}" = "HPNSView" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\hpdns_01.dll" [empty string] "{DEE12703-6333-4D4E-8F34-738C4DCC2E04}" = "RecordNow! SendToExt" -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\RecordNow!\shlext.dll" ["Sonic Solutions"] "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshellext.dll" ["RealNetworks"] "{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\Office\MLSHEXT.DLL" [MS] "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MI1933~1\Office\OLKFSTUB.DLL" [MS] "{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS] "{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"] "{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu" -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"] "{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"] "{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"] HKLM\Software\Classes\PROTOCOLS\Filter\ INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS] HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Active Desktop and Wallpaper: ----------------------------- Active Desktop is disabled at this entry: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState HKCU\Control Panel\Desktop\ "Wallpaper" = "C:\WINDOWS\Webshots for Owner.bmp" Enabled Screen Saver: --------------------- HKCU\Control Panel\Desktop\ "SCRNSAVE.EXE" = "C:\WINDOWS\webshots.scr" ["Webshots.com"] Autostart via AUTORUN.INF on local fixed drives: ------------------------------------------------ D:\ INFECTION WARNING! D:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"] Startup items in "Owner" & "All Users" startup folders: ------------------------------------------------------- C:\Documents and Settings\Owner\Start Menu\Programs\Startup "spamsubtract" -> shortcut to: "C:\Program Files\interMute\SpamSubtract\SpamSub.exe" ["interMute, Inc."] "Webshots" -> shortcut to: "C:\Program Files\Webshots\Launcher.exe /t" [null data] C:\Documents and Settings\All Users\Start Menu\Programs\Startup "GoBack" -> shortcut to: "C:\Program Files\Roxio\GoBack\GBTray.exe" ["Roxio, Inc."] "Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS] "PopSubtract" -> shortcut to: "C:\Program Files\interMute\PopSubtract\PopSub.exe" ["interMute, Inc."] "Updates from HP" -> shortcut to: "C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe -startup" [null data] Enabled Scheduled Tasks: ------------------------ "Easy Internet Sign-up" -> launches: "C:\Program Files\Easy Internet signup\HPSdpApp.exe /remind" ["Hewlett-Packard"] "Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"] "Norton SystemWorks One Button Checkup" -> launches: "C:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"] "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"] Winsock2 Service Provider DLLs: ------------------------------- Namespace Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++} 000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] 000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS] 000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS] Transport Service Providers HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++} 0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range: SpSubLSP.dll ["interMute, Inc."] , 01 - 05, 11 %SystemRoot%\system32\mswsock.dll [MS], 06 - 08, 12 - 21 %SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10 Toolbars, Explorer Bars, Extensions: ------------------------------------ Toolbars HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ "{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = "HP View" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll" ["Hewlett-Packard Company"] HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ "{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = "HP View" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll" ["Hewlett-Packard Company"] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] HKLM\Software\Microsoft\Internet Explorer\Toolbar\ "{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}" = "HP View" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll" ["Hewlett-Packard Company"] "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"] Explorer Bars HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\ {8F4902B6-6C04-4ADE-8052-AA58578A21BD}\ = "hp view" [from CLSID] -> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS] Extensions (Tools menu items, main toolbar menu buttons) HKLM\Software\Microsoft\Internet Explorer\Extensions\ {08B0E5C0-4FCB-11CF-AAA5-00401C608501}\ "MenuText" = "Sun Java Console" "CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" {92780B25-18CC-41C8-B9BE-3C9C571A8263}\ "ButtonText" = "Research" {FB5F1910-F110-11D2-BB9E-00C04F795683}\ "ButtonText" = "Messenger" "MenuText" = "Messenger" "Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS] Miscellaneous IE Hijack Points ------------------------------ C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings") Added lines (compared with English-language version): [Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Missing lines (compared with English-language version): [Strings]: 1 line Running Services (Display Name, Service Name, Path {Service DLL}): ------------------------------------------------------------------ ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"] GBPoll, GBPoll, "C:\Program Files\Roxio\GoBack\GBPoll.exe" ["Roxio, Inc."] GhostStartService, GhostStartService, "C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE" ["Symantec Corporation"] iPod Service, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."] LexBce Server, LexBceS, "C:\WINDOWS\system32\LEXBCES.EXE" ["Lexmark International, Inc."] Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"] Norton Unerase Protection, NProtectService, ""C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE"" ["Symantec Corporation"] Speed Disk service, Speed Disk service, "C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe" ["Symantec Corporation"] Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"] ---------- + This report excludes default entries except where indicated. + To see *everywhere* the script checks and *everything* it finds, launch it from a command prompt or a shortcut with the -all parameter. + To search all directories of local fixed drives for DESKTOP.INI DLL launch points and all Registry CLSIDs for dormant Explorer Bars, use the -supp parameter or answer "Yes" at the first message box. ---------- (total run time: 118 seconds, including 18 seconds for message boxes) |
|
|
|
|
07-11-2005, 12:20 AM
|
#9 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,965
OS: Windows XP-Pro SP2
|
Right click on your desktop>>> properties and and under the "themes" tad WindowsXP should be present again. Check the "Appearance" tab and WindowsXP Style should also be present. Select each..click apply..then ok. See if that fixs your menu problem.
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then create a new restore point. Reboot into safe mode. Delete the following files/folders. C:\WINDOWS\cdmxtras C:\Documents and Settings\Owner\Application Data\tvm*.dll C:\Documents and Settings\Owner\Application Data\Lycos C:\WINDOWS\inf\alchem.in? C:\Documents and Settings\Owner\Application Data\tvmcwrd.dll C:\Documents and Settings\Owner\Application Data\tvmknwrd.dll C:\WINDOWS\inf\alchem.inf Add to this any of those files I listed in my last post. After you delete these confirm they are gone. **Note** If any of those files give you an "Access Denied" error when trying to delete...use KILLBOX...using my previous instructions. Now run the Cleanup utility and reboot/logoff when prompted. Once back to normal windows....confirm again...those files are gone. I want to see if something is putting them back. Run another Panda scan and post it's log along with a hijackthis log. I also need you locate this file..info.exe (looks like it's on D: drive) and upload it to http://www.kaspersky.com/scanforvirus and scan it. Report the findings.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder Last edited by MicroBell; 07-11-2005 at 12:22 AM. |
|
|
|
|
07-11-2005, 02:01 PM
|
#10 (permalink) |
|
Member
Join Date: Jul 2005
Posts: 22
OS: xp
|
Awesome....windows are back to normal also now...thanks...
Those files were deleted fine this time...I did not see them before because the files were hidden... Thanks again... Here are the files.... Logfile of HijackThis v1.99.1 Scan saved at 2:44:39 PM, on 7/11/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\LEXPPS.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\ALCXMNTR.EXE C:\WINDOWS\LTMSG.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\interMute\PopSubtract\PopSub.exe C:\Program Files\interMute\SpamSubtract\SpamSub.exe C:\WINDOWS\webshots.scr C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Roxio\GoBack\GBPoll.exe C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\wuauclt.exe C:\Documents and Settings\Owner\Desktop\virus fix\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe |
|
|
|
|
07-11-2005, 02:57 PM
|
#11 (permalink) |
|
Moderator, Microsoft Support
Join Date: Jul 2004
Location: United Kingdom
Posts: 6,420
OS: XP SP2
|
Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click 'Kill process' for each one if they are still listed (they shouldn't be - but double check):
C:\WINDOWS\ALCXMNTR.EXE Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: ALCXMNTR.EXE <<Search and delete this file. Restart and run a new HijackThis scan. Save the log file and post it here. Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post.
__________________
|
|
|
|
|
07-12-2005, 07:48 AM
|
#12 (permalink) |
|
Member
Join Date: Jul 2005
Posts: 22
OS: xp
|
I found those files and deleted them. I have attatched the hijackthis file. I also did a Panda Scan and no viruses were found so there was nothing to save and log here...
Logfile of HijackThis v1.99.1 Scan saved at 9:23:44 AM, on 7/12/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\LEXPPS.EXE C:\windows\system\hpsysdrv.exe C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe C:\WINDOWS\System32\hphmon05.exe C:\HP\KBD\KBD.EXE C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe C:\WINDOWS\LTMSG.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Microsoft Money\System\mnyexpr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\interMute\PopSubtract\PopSub.exe C:\Program Files\interMute\SpamSubtract\SpamSub.exe C:\WINDOWS\webshots.scr C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Roxio\GoBack\GBPoll.exe C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\iPod\bin\iPodService.exe C:\Documents and Settings\Owner\Desktop\virus fix\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [VTTimer] VTTimer.exe O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7 O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe O4 - Global Startup: GoBack.lnk = C:\Program Files\Roxio\GoBack\GBTray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe |
|
|
|
|
07-12-2005, 10:18 AM
|
#13 (permalink) |
|
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
Join Date: May 2005
Posts: 23,238
OS: N/A
|
Your log is clean.
Do you have any more problems with your computer? If not, you should be set to go. However, there still remains a few bits of housekeeping ... Reset hidden/system files and folders
Clear Java Cache
Follow the instructions outlined here to clear Sun Java's cache. Create a new System Restore point
Enable Windows Auto Update
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
If you do not have a firewall, here are 3 free ones available for personal use: In light of your recent hiccup, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles Have a safe & happy computing day. Please respond to this thread one more time so we can mark this thread as resolved.
__________________
|
|
|
|
| Thread Tools | |
|
|
