|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-17-2005, 06:45 PM
|
#1 (permalink) |
|
Registered User
Join Date: Aug 2005
Posts: 11
OS: xp
|
searchweb2 problems!
Can someone have a look at this hjt log file and tell me what I need to delete to be rid of this dam search bar.
Thanks in advance. Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Archivos de programa\Norton SystemWorks\Password Manager\AcctMgr.exe C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe C:\Archivos de programa\QuickTime\qttask.exe C:\Archivos de programa\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe C:\ARCHIV~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\Palm\HOTSYNC.EXE C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\ntvdm.exe c:\archiv~1\intern~1\iexplore.exe c:\archiv~1\intern~1\iexplore.exe C:\Archivos de programa\LimeWire\LimeWire.exe C:\Archivos de programa\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mlcnmxdflxscpewqffx.com/c...2ywPUX7jEX.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {9B9C1A38-4D47-EC38-7162-310B1A1FDFD8} - (no file) O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll O2 - BHO: (no name) - {C05FEF9E-D099-E860-275B-2AEDDECA4714} - C:\DOCUME~1\ADMINI~1\DATOSD~1\16DOES~1\BoldRegs.exe O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AcctMgr] C:\Archivos de programa\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [rect dale joy bone] C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Support about.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [five name] C:\DOCUME~1\ADMINI~1\DATOSD~1\INFOBR~1\Extra Load.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball...GameLoader.dll O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2809eb71...dxIE601_es.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093050483796 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {8E65B894-C2E9-11D5-BCD3-00E018987609} - http://09.sharedsource.org/cabs/milesdejuegosmx.cab O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/p...z4/install.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab28578.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~4\GHOSTS~2.EXE O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe Help 
Last edited by MexicanToffee; 08-17-2005 at 06:46 PM. |
|
     |
| Sponsored Links |
|
08-18-2005, 02:34 AM
|
#2 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,965
OS: Windows XP-Pro SP2
  |
Hi and Welcome to TSF
Please post the entire log! You cut the top portion off. Before attacking an adware/spyware problem with hijackthis make sure you have already run the following tools. Download and update the databases on each program before running. Also make sure you are using the the latest version (1.99.1) of HijackThis and it's installed in it's own folder on the root drive. (C:\HJT) Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and check the box for Turn OFF System Restore and make sure it’s NOT checked. We want system restore ON and monitoring your current hard drive. Once your clean we will turn this off and then back on to remove the infection from the restore folder and create a clean restore point. Download and install CleanUp! but do not run it yet. *NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Open add/remove programs and remove Messenger Plus 3. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one IF they are still listed (they shouldn't be but make sure) C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe Check and fix the following in HijackThis if they still exist (make sure you do not miss an entry) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mlcnmxdflxscpewqffx.com/...42ywPUX7jEX.htm R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com O2 - BHO: (no name) - {9B9C1A38-4D47-EC38-7162-310B1A1FDFD8} - (no file) O2 - BHO: (no name) - {C05FEF9E-D099-E860-275B-2AEDDECA4714} - C:\DOCUME~1\ADMINI~1\DATOSD~1\16DOES~1\BoldRegs.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [rect dale joy bone] C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Support about.exe O4 - HKCU\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [five name] C:\DOCUME~1\ADMINI~1\DATOSD~1\INFOBR~1\Extra Load.exe O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {8E65B894-C2E9-11D5-BCD3-00E018987609} - http://09.sharedsource.org/cabs/milesdejuegosmx.cab O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/...fz4/install.cab Delete the following Files/Folders in RED (delete folders if no filename is specified or if they are highlighted in RED) according to their directory (If you can't find them...do a search for them…make sure you have search hidden files, folders, sub directory’s ect enabled if it apply’s to your OS) C:\DOCUME~1\ADMINI~1\DATOSD~1\16DOES~1\BoldRegs.exe C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Support about.exe C:\DOCUME~1\ADMINI~1\DATOSD~1\INFOBR~1\Extra Load.exe C:\TempEI4 Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: *Click "Options..." *Move the arrow down to "Custom CleanUp!" *Put a check next to the following:
Press the CleanUp! button to start the program. Reboot/logoff when prompted Once back to normal windows... Please run an online scan at http://www.pandasoftware.com/actives..._principal.htm Once it has finished save the activescan log. Then post that log in your next post along with a new hijackthis log.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
   Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
08-18-2005, 01:52 PM
|
#3 (permalink) |
|
Registered User
Join Date: Aug 2005
Posts: 11
OS: xp
|
Complete HJT log
Here's the complete HJT log:
Logfile of HijackThis v1.99.1 Scan saved at 08:28:06 p.m., on 17/08/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Archivos de programa\Norton SystemWorks\Password Manager\AcctMgr.exe C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe C:\Archivos de programa\QuickTime\qttask.exe C:\Archivos de programa\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe C:\ARCHIV~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\Palm\HOTSYNC.EXE C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\system32\ntvdm.exe c:\archiv~1\intern~1\iexplore.exe c:\archiv~1\intern~1\iexplore.exe C:\Archivos de programa\LimeWire\LimeWire.exe C:\Archivos de programa\Internet Explorer\iexplore.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.mlcnmxdflxscpewqffx.com/c...2ywPUX7jEX.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/news R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {9B9C1A38-4D47-EC38-7162-310B1A1FDFD8} - (no file) O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll O2 - BHO: (no name) - {C05FEF9E-D099-E860-275B-2AEDDECA4714} - C:\DOCUME~1\ADMINI~1\DATOSD~1\16DOES~1\BoldRegs.exe O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AcctMgr] C:\Archivos de programa\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [rect dale joy bone] C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Support about.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [MessengerPlus3] "C:\Archivos de programa\Messenger Plus! 3\MsgPlus.exe" /WinStart O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [five name] C:\DOCUME~1\ADMINI~1\DATOSD~1\INFOBR~1\Extra Load.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball...GameLoader.dll O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2809eb71...dxIE601_es.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093050483796 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\TempEI4\EI40_\msxml4.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {8E65B894-C2E9-11D5-BCD3-00E018987609} - http://09.sharedsource.org/cabs/milesdejuegosmx.cab O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/p...z4/install.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab28578.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~4\GHOSTS~2.EXE O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe Cheers |
|
|
|
|
08-18-2005, 02:57 PM
|
#4 (permalink) |
|
Registered User
Join Date: Aug 2005
Posts: 11
OS: xp
|
Can't perform the scan on the Panda site. Keep getting the following error message:
Error on downloading ActiveScanAn error has occurred downloading Panda ActiveScan. Please repeat the process. If the error occurs again, restart your system and try againPossible causes of this error are: Not allowing the application's ActiveX control to be downloaded. Problems with the Internet connection. The error could be due to a download error or an installation error due to lack of hard disk space, privileges etc.,... I have disabled the protection on spyblaster, but can't find an option to enable or disable in the explorer's tools. Can't run it on mozilla as it6s not supported. Any suggestions? |
|
|
|
|
08-18-2005, 04:54 PM
|
#5 (permalink) |
|
Registered User
Join Date: Aug 2005
Posts: 11
OS: xp
|
Forget that, just installed the ActiveX control.
Couldn't delete the folder C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Support about.exe, so just deleted the file. Panda scan log: Incident Status Location Spyware:spyware/marketscore No disinfected C:\WINDOWS\SYSTEM32\osmim.dll Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32m.sys Adware:adware/lop No disinfected C:\ARCHIVOS DE PROGRAMA\C2Media Spyware:spyware/clearsearch No disinfected C:\ARCHIVOS DE PROGRAMA\CSBB Adware:adware/myway No disinfected C:\ARCHIVOS DE PROGRAMA\MyWay Adware:adware/navhelper No disinfected C:\ARCHIVOS DE PROGRAMA\NavExcel Adware:adware/savenow No disinfected Windows Registry Adware:Adware/Lop No disinfected C:\Archivos de programa\C2Media\Setup.exe Adware:Adware/NavHelper No disinfected C:\Archivos de programa\NavExcel\NavHelper\v2.0.4c\NHelper.dll Adware:Adware/NavHelper No disinfected C:\Archivos de programa\NavExcel\NavHelper\v2.0.4c\NHUninstaller.exe Adware:Adware/NavHelper No disinfected C:\Archivos de programa\NavExcel\NavHelper\v2.0.4c\NHUpdater.exe Adware:Adware/NavHelper No disinfected C:\Archivos de programa\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab Adware:Adware/NavHelper No disinfected C:\Archivos de programa\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab[NHelper.dll] Adware:Adware/NavHelper No disinfected C:\Archivos de programa\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab[NHUninstaller.exe] Adware:Adware/NavHelper No disinfected C:\Archivos de programa\NavExcel\NavHelper\v2.0.4c\v2.0.4c.cab[NHUpdater.exe] Adware:Adware/Lop No disinfected C:\Archivos de programa\new_uninstall.exe Adware:Adware/Lop No disinfected C:\Archivos de programa\toolbar_uninstall.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\01 team.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\axisobj.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Bags Dale.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Base dumb.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\BOLD ROAD.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\bows license.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\BUILD CASH.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\CHIN STOP.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\cool free.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\dart spam.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\First User.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Fork one.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Funk Road.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\knob license.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\loudsettings.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\METASHIM.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Pile skip.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\style wait.exe Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE\Warn team.exe Adware:Adware/Lop No disinfected C:\HJT\backups\backup-20050818-162420-286.dll Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\osmim.dll New HJT log: Logfile of HijackThis v1.99.1 Scan saved at 06:53:29 p.m., on 18/08/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe C:\Archivos de programa\QuickTime\qttask.exe C:\Archivos de programa\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Palm\HOTSYNC.EXE C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe C:\ARCHIV~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe C:\Archivos de programa\Mozilla Firefox\firefox.exe C:\WINDOWS\system32\wuauclt.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.abyfslcbxrryyvmj.us/ceCG7...ywPUX7jEX.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uizaymxdrub.com/ceCG7dLjC...6l5_UEI0ok.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AcctMgr] C:\Archivos de programa\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [five name] C:\DOCUME~1\ADMINI~1\DATOSD~1\INFOBR~1\Extra Load.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball...GameLoader.dll O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2809eb71...dxIE601_es.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093050483796 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab28578.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~4\GHOSTS~2.EXE O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe Cheers |
|
|
|
|
08-18-2005, 04:55 PM
|
#6 (permalink) |
|
Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter
Join Date: Sep 2004
Location: Carmichaels, PA-USA
Posts: 6,965
OS: Windows XP-Pro SP2
|
No Prob. I'll use another tool. Anyway..seams we have some LOP entrys hidding as it's still in your log. I need the log from the following tool.
Download Findlop by Metallica. Unzip it to your desktop. Double click findlop.bat. It will open a notepad file. Copy the contents of that file and past it here in your reply.
__________________
We Are The BORG Spyware KILLER and Adware Destroyer!
Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder |
|
|
|
|
08-19-2005, 02:13 PM
|
#7 (permalink) |
|
Registered User
Join Date: Aug 2005
Posts: 11
OS: xp
|
Ok, heres the contents of the notepad:
[TRACE] Enumerating jobs and queues [TRACE] Activating job '8E4C26C893A3F968.job' [TRACE] Printing all job properties ApplicationName: 'c:\archiv~1\infobr~1\bib setup soap.exe' Parameters: '' WorkingDirectory: '' Comment: '' Creator: 'Administrador' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 10/15/2004 3:00:00 NextRun: 08/19/2005 17:00:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 1 TaskFlags: 0 1 Trigger Trigger 0: Type: Daily DaysInterval: 1 StartDate: 10/04/1996 EndDate: 00/00/0000 StartTime: 00:00 MinutesDuration: 1440 MinutesInterval: 60 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'A4AAC43291857E82.job' [TRACE] Printing all job properties ApplicationName: 'c:\docume~1\admini~1\datosd~1\infobr~1\bib setup soap.exe' Parameters: '' WorkingDirectory: '' Comment: '' Creator: 'Administrador' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 08/18/2005 16:00:00 NextRun: 08/19/2005 17:00:00 StartError: 0x80070003 ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 1 TaskFlags: 0 1 Trigger Trigger 0: Type: Daily DaysInterval: 1 StartDate: 02/21/1999 EndDate: 00/00/0000 StartTime: 00:00 MinutesDuration: 1440 MinutesInterval: 60 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'AD6BDD9191845139.job' [TRACE] Printing all job properties ApplicationName: 'c:\archiv~1\infobr~1\bib setup soap.exe' Parameters: '' WorkingDirectory: '' Comment: '' Creator: 'Administrador' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 10/15/2004 3:00:00 NextRun: 08/19/2005 17:00:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 1 TaskFlags: 0 1 Trigger Trigger 0: Type: Daily DaysInterval: 1 StartDate: 02/10/1999 EndDate: 00/00/0000 StartTime: 00:00 MinutesDuration: 1440 MinutesInterval: 60 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'Norton AntiVirus - Analizar el equipo.job' [TRACE] Printing all job properties ApplicationName: 'C:\ARCHIV~1\NORTON~1\NORTON~1\Navw32.exe' Parameters: '/task:"C:\Documents and Settings\All Users\Datos de programa\Symantec\Norton AntiVirus\Tasks\mycomp.sca"' WorkingDirectory: '' Comment: 'Esto es una tarea planificada de análisis de Norton AntiVirus.' Creator: 'Administrador' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 06/10/2005 20:00:00 NextRun: 08/19/2005 20:00:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0x1 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Weekly WeeksInterval: 1 DaysOfTheWeek: .....F. StartDate: 04/13/2004 EndDate: 00/00/0000 StartTime: 20:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'Norton SystemWorks One Button Checkup.job' [TRACE] Printing all job properties ApplicationName: 'C:\Archivos de programa\Norton SystemWorks\OBC.exe' Parameters: ' /CUSTOM /SCHEDULE' WorkingDirectory: '' Comment: '' Creator: 'Administrador' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 30 IdleDeadline: 0 MostRecentRun: 06/03/2005 17:30:00 NextRun: 08/19/2005 17:30:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Weekly WeeksInterval: 1 DaysOfTheWeek: .....F. StartDate: 04/13/2004 EndDate: 00/00/0000 StartTime: 17:30 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'Symantec Drmc.job' [TRACE] Printing all job properties ApplicationName: 'C:\Archivos de programa\Archivos comunes\Symantec Shared\SymDrmc.exe' Parameters: ' /CUSTOM /SCHEDULE' WorkingDirectory: '' Comment: '' Creator: 'Administrador' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 30 IdleDeadline: 0 MostRecentRun: 06/07/2005 0:00:01 NextRun: 08/20/2005 0:00:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Daily DaysInterval: 1 StartDate: 04/13/2004 EndDate: 00/00/0000 StartTime: 00:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'Symantec NetDetect.job' [TRACE] Printing all job properties ApplicationName: 'C:\Archivos de programa\Symantec\LiveUpdate\NDETECT.EXE' Parameters: '' WorkingDirectory: 'C:\Archivos de programa\Symantec\LiveUpdate' Comment: 'Symantec NetDetect' Creator: 'SYSTEM' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 06/10/2005 22:23:00 NextRun: 08/19/2005 16:13:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0x65 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 2 Triggers Trigger 0: Type: Daily DaysInterval: 1 StartDate: 06/11/2005 EndDate: 00/00/0000 StartTime: 02:23 MinutesDuration: 1440 MinutesInterval: 5 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 Trigger 1: Type: AtLogon StartDate: 04/13/2004 EndDate: 00/00/0000 StartTime: 10:46 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 What next? |
|
|
|
|
08-19-2005, 09:44 PM
|
#9 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista
|
Hello Mexican Toffee,
Yes, the Panda scan is what helped identify the infection. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. Reboot into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter. Open your Task Scheduler and delete the following jobs: 8E4C26C893A3F968 A4AAC43291857E82 AD6BDD9191845139 Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C: C:\WINDOWS\SYSTEM32\osmim.dll C:\WINDOWS\smdat32m.sys C:\WINDOWS\system32\osmim.dll C:\Archivos de programa\new_uninstall.exe C:\Archivos de programa\toolbar_uninstall.exe Start KillBox. Go to the File menu, and choose Paste from Clipboard. Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there. Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File * Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: C2Media CSBB MyWay NavExcel Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.abyfslcbxrryyvmj.us/ceCG...2ywPUX7jEX.html R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uizaymxdrub.com/ceCG7dLj...B6l5_UEI0ok.htm O4 - HKCU\..\Run: [five name] C:\DOCUME~1\ADMINI~1\DATOSD~1\INFOBR~1\Extra Load.exe Now delete the following files/folders: c:\archiv~1\infobr~1 c:\docume~1\admini~1\datosd~1\infobr~1 C:\WINDOWS\SYSTEM32\osmim.dll C:\WINDOWS\smdat32m.sys C:\ARCHIVOS DE PROGRAMA\C2Media C:\ARCHIVOS DE PROGRAMA\CSBB C:\ARCHIVOS DE PROGRAMA\MyWay C:\ARCHIVOS DE PROGRAMA\NavExcel C:\Documents and Settings\All Users\Datos de programa\COAL REF RECT DALE C:\Archivos de programa\new_uninstall.exe C:\Archivos de programa\toolbar_uninstall.exe *note* Check each of your users and ALL users Program and Application Data folders for any strange named folders..like the ones we are deleting (safe 16 team, Close fork meal army, Sixth Tons Trust) as this infection installs these in each account on the PC including the users, ALL users, Admin..ect accounts. Run another scan with Panda, save the log and post it here. Run FindLop again and post that along with another HijackThis log. |
|
|
|
|
08-20-2005, 10:19 AM
|
#10 (permalink) |
|
Registered User
Join Date: Aug 2005
Posts: 11
OS: xp
|
Couldn’t find the follwing:
c:\docume~1\admini~1\datosd~1\infobr~1 C:\WINDOWS\SYSTEM32\osmim.dll C:\WINDOWS\smdat32m.sys nor any reference to files or folders for safe 16 team, Close fork meal army, Sixth Tons Trust. Did a separate search for all of the above. Panda scan log: Incident Status Location Adware:Adware/Lop No disinfected C:\HJT\backups\backup-20050818-162420-286.dll Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc10\Setup.exe Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc13\NavHelper\v2.0.4c\NHelper.dll Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc13\NavHelper\v2.0.4c\NHUninstaller.exe Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc13\NavHelper\v2.0.4c\NHUpdater.exe Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc13\NavHelper\v2.0.4c\v2.0.4c.cab Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc13\NavHelper\v2.0.4c\v2.0.4c.cab[NHelper.dll] Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc13\NavHelper\v2.0.4c\v2.0.4c.cab[NHUninstaller.exe] Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc13\NavHelper\v2.0.4c\v2.0.4c.cab[NHUpdater.exe] Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\01 team.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\axisobj.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\Bags Dale.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\Base dumb.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\BOLD ROAD.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\bows license.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\BUILD CASH.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\CHIN STOP.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\cool free.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\dart spam.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\First User.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\Fork one.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\Funk Road.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\knob license.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\loudsettings.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\METASHIM.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\Pile skip.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\style wait.exe Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\Warn team.exe FindLop log: [TRACE] Enumerating jobs and queues [TRACE] Activating job 'Norton AntiVirus - Analizar el equipo.job' [TRACE] Printing all job properties ApplicationName: 'C:\ARCHIV~1\NORTON~1\NORTON~1\Navw32.exe' Parameters: '/task:"C:\Documents and Settings\All Users\Datos de programa\Symantec\Norton AntiVirus\Tasks\mycomp.sca"' WorkingDirectory: '' Comment: 'Esto es una tarea planificada de análisis de Norton AntiVirus.' Creator: 'Administrador' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 06/10/2005 20:00:00 NextRun: 08/26/2005 20:00:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0x1 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Weekly WeeksInterval: 1 DaysOfTheWeek: .....F. StartDate: 04/13/2004 EndDate: 00/00/0000 StartTime: 20:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'Norton SystemWorks One Button Checkup.job' [TRACE] Printing all job properties ApplicationName: 'C:\Archivos de programa\Norton SystemWorks\OBC.exe' Parameters: ' /CUSTOM /SCHEDULE' WorkingDirectory: '' Comment: '' Creator: 'Administrador' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 30 IdleDeadline: 0 MostRecentRun: 06/03/2005 17:30:00 NextRun: 08/26/2005 17:30:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Weekly WeeksInterval: 1 DaysOfTheWeek: .....F. StartDate: 04/13/2004 EndDate: 00/00/0000 StartTime: 17:30 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'Symantec Drmc.job' [TRACE] Printing all job properties ApplicationName: 'C:\Archivos de programa\Archivos comunes\Symantec Shared\SymDrmc.exe' Parameters: ' /CUSTOM /SCHEDULE' WorkingDirectory: '' Comment: '' Creator: 'Administrador' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 30 IdleDeadline: 0 MostRecentRun: 06/07/2005 0:00:01 NextRun: 08/21/2005 0:00:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Daily DaysInterval: 1 StartDate: 04/13/2004 EndDate: 00/00/0000 StartTime: 00:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'Symantec NetDetect.job' [TRACE] Printing all job properties ApplicationName: 'C:\Archivos de programa\Symantec\LiveUpdate\NDETECT.EXE' Parameters: '' WorkingDirectory: 'C:\Archivos de programa\Symantec\LiveUpdate' Comment: 'Symantec NetDetect' Creator: 'SYSTEM' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 06/10/2005 22:23:00 NextRun: 08/20/2005 12:18:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0x65 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 1 SystemRequired = 0 Hidden = 0 TaskFlags: 0 2 Triggers Trigger 0: Type: Daily DaysInterval: 1 StartDate: 06/11/2005 EndDate: 00/00/0000 StartTime: 02:23 MinutesDuration: 1440 MinutesInterval: 5 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 Trigger 1: Type: AtLogon StartDate: 04/13/2004 EndDate: 00/00/0000 StartTime: 10:46 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 HJT log: Logfile of HijackThis v1.99.1 Scan saved at 12:18:06 p.m., on 20/08/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe C:\ARCHIV~1\NORTON~1\NORTON~4\GHOSTS~2.EXE C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\igfxtray.exe C:\WINDOWS\System32\hkcmd.exe C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe C:\Archivos de programa\QuickTime\qttask.exe C:\Archivos de programa\Messenger\msmsgs.exe C:\WINDOWS\system32\ctfmon.exe C:\Palm\HOTSYNC.EXE C:\Archivos de programa\WinZip\WZQKPICK.EXE C:\Archivos de programa\Mozilla Firefox\firefox.exe C:\WINDOWS\System32\WISPTIS.EXE C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE C:\HJT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\NavShExt.dll O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [ccApp] "C:\Archivos de programa\Archivos comunes\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Archivos de programa\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe O4 - HKLM\..\Run: [AcctMgr] C:\Archivos de programa\Norton SystemWorks\Password Manager\AcctMgr.exe /startup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\qttask.exe" -atboottime O4 - HKCU\..\Run: [MSMSGS] "C:\Archivos de programa\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE O4 - Global Startup: WinZip Quick Pick.lnk = C:\Archivos de programa\WinZip\WZQKPICK.EXE O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/hamsterball/...gameloader.cab O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/inflaterball...GameLoader.dll O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/2809eb71...dxIE601_es.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093050483796 O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab28578.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab30149.cab O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab30149.cab O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab30149.cab O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab28578.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARCHIV~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\ccSetMgr.exe O23 - Service: GhostStartService - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~4\GHOSTS~2.EXE O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Servicio Auto-Protect de Norton AntiVirus (navapsvc) - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\NPROTECT.EXE O23 - Service: SAVScan - Symantec Corporation - C:\Archivos de programa\Norton SystemWorks\Norton Antivirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARCHIV~1\ARCHIV~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\ARCHIV~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Archivos de programa\Archivos comunes\Symantec Shared\Security Center\SymWSC.exe Cheers |
|
|
|
|
08-20-2005, 04:24 PM
|
#11 (permalink) |
|
Registered User
Join Date: Aug 2005
Posts: 11
OS: xp
|
I was just reading through the sticky" What to do before posting an HJT log " and I noticed I hadn't configured the ad-aware se to the custom settings. Done this now, ran it, didn't find anything new so ran the Trend Micro Housecall on line virus scan which detected the following:
Detected File Associated Virus Name Action C:\HJT\backups\backup-20050818-162420-286.dllUncleanable TROJ_SWIZZOR.DQ DeletePass C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\01 team.exeUncleanable TROJ_KREPPER.AB DeletePass C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\axisobj.exeUncleanable TROJ_DLOADER.SL DeletePass C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\BOLD ROAD.exeUncleanable TROJ_DLOADER.SK DeletePass C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\knob license.exeUncleanable TROJ_SWIZZOR.EJ DeletePass C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\METASHIM.exeUncleanable TROJ_SWIZZOR.EJ DeletePass C:\RECYCLER\S-1-5-21-842925246-287218729-839522115-500\Dc14\Warn team.exeUncleanable Now I haven't deleted these yet, I was little worried about deleting the HJT file. Can I run this scan again and clean these off? Cheers |
|
|
|
|
08-20-2005, 04:41 PM
|
#12 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista
|
Hi,
Your log is clean. If there aren't any more problems, you should be all set. Those are located in your recycle bin. We'll take care of that now. Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: *Click "Options..." *Move the arrow down to "Custom CleanUp!" *Put a check next to the following: -Empty Recycle Bins -Temporary Internet Files -Delete Cookies -Delete Prefetch files [color=Blue]-[X]Scan local drives for temporary files [/color] (Please uncheck this option) -Cleanup! All Users Click OK Press the CleanUp! button to start the program. Reboot/logoff when prompted. Reset hidden/system files and folders Windows XP =============== Click Start. * Open My Computer. * Select the Tools menu and click Folder Options. * Select the View tab. * Deselect the Show hidden files and folders option. * Select the Hide file extensions for known types option. * Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Create a new System Restore point Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles: HOW DID I GET INFECTED IN THE FIRST PLACE? http://forums.net-integration.net/in...showtopic=3051 THE ANTI-SPYWARE TUTORIAL http://www.greyknight17.com/spyware.htm#prevent MAKING INTERNET EXPLORER SAFER http://www.bleepingcomputer.com/foru...er-tut102.html Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. More information and downloads are available at the following links: Spyware Blaster to help prevent spyware from installing in the first place. Spyware Guard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. |
|
|
|
|
08-20-2005, 05:03 PM
|
#13 (permalink) |
|
Registered User
Join Date: Aug 2005
Posts: 11
OS: xp
|
You guys are tremendous. Thanks for your timely responses and easy to follow instructions. I hope I'm not back in the near future unless it's to have a crack at the acadamey.
Will read through your suggested list straight away. Cheers Simon Jordan |
|
|
|
|
08-20-2005, 06:14 PM
|
#14 (permalink) |
|
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
Join Date: Jan 2005
Location: Ohio
Posts: 24,048
OS: WinXP and Vista
|
Hello again Simon,
I'd like to add one more thing: I noticed you have 2 Anti-Virus programs running. Please choose and run only 1. More than 1 can cause conflicts and confusion between the AV programs. Hope to see you in the Academy. 
|
|
|
|
| Thread Tools | |
|
|
