hello team i gotta live one - Page 2

**grassi** · 01-16-2006, 09:12 PM

what am i suppose to do with KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip run or save????
i did however get to delete HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} and gave me a default one? Also i Clicked START>>RUN. Type in the following command:
regsvr32 /u occache.dll and it gave me a little pop up window from reg svr32 saying dll unregistered server in occache.dll succeeded. Is this right so far??

MicroBell · 01-17-2006, 01:43 AM

Yes thats what was supposed to happen. As for the KILLBOX instructions...they are quite clear.

Run Killbox

Paste this entry into the main box...

C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf

Checkmark the "Delete On Reboot" and "Unregister DLL" boxs..then hit the RED X.

It will asked you to reboot. Do so. Then follow through with the rest.

**grassi** · 01-17-2006, 05:58 AM

"Delete On Reboot" was there and "Unregister DLL" boxs.. was not. panda scan will be here shortly but i have to tell ya Its looking worse instead of 1spyware and 6 hackers (post#13) now there is 6 spyware and 4 hackers so far.

**grassi** · 01-17-2006, 06:55 AM

microbell it looks like its gone just want to make sure before re registering dll. Also please note your directions are very clear, im just learnin. Also apologize for any newbish questions. but heres one in my computer c:\ i have an old file its a red circle with white x through it. i believe its an old kill box file the date december 22 thats the date of old smittfraud variant. can i delete along with another folder that is labeled !killbox it contains the f3initial set up, (when i place my cusrsor over this folder). also in properties for this folder it contains 2 files 1 folder?? At the end of course, just to keep on top of everything and clean??

Incident Status Location

Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[1].txt
Potentially unwanted tool:Application/FunWeb Not disinfected C:\!KillBox\f3initialsetup1.0.0.15.inf
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Owner\Desktop\emergency!!\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Owner\Desktop\emergency!!\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe

**grassi** · 01-18-2006, 05:07 AM

also can i repeat my steps and start this fix over i already typed regsvr32 occache.dll and deleted that regedit number. can i be sure everything is done together again???ankotherwords do this over all in one shot. Now that i got the newbish part out of it.

also movin this thread up.

MicroBell · 01-18-2006, 01:10 PM

There's no need to start over. The files are gone.

C:\!KillBox <--delete that folder. It's just a KILLBOX backup folder.

The rest of the entrys that Panda picked up are of no concern. They are just cookies and some of the exe's for the tools we used.

Post another Hijackthis log and the log from the scan below and let me know how things are running.

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Standard
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

**grassi** · 01-18-2006, 02:27 PM

okay microbell thanks again for everything i know im a pain in the @#$, my ears are ringing over here

But appreciate all you guys have done. I said to tetonbob he will here from me with a donation as i say to you its tight right now but my donation will see you soon

oh yeah this is hjt my version however did not come up V1.99.1 just to make sure??????

Scan saved at 4:19:23 PM, on 1/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128469640765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe (file missing)

KASPERSKY

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, January 18, 2006 16:17:58
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 18/01/2006
Kaspersky Anti-Virus database records: 161305
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 62055
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 2849 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

**grassi** · 01-18-2006, 05:21 PM

also this new killbox with f3 initial setup in c:/, may i delete along with any findings of kill box or kaspersky from clicking on start then search??? Is this a good way to remove unneeded stuff such as these 2 (i dont think i need these things lurking)??? oh yeah, i uninstalled cc cleaner, because i thought this brought back those search findings of weatherbug. so i guess ill do the same (search option to delete) and delete any findings? Thanks again.

MicroBell · 01-18-2006, 07:11 PM

Yes you can delete those tools if you like.

Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below.

Reset hidden/system files and folders

Windows XP
===============

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide file extensions for known types option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Windows 2000
===============

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Select the Advanced settings box option.
Select the Hidden files Folders.
Deselect the Show all files option.
Click Yes to confirm.
Click OK.

Windows ME
===============

Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Deselect the Show hidden files and folders option.
Select the Hide protected operating system files option.
Click Yes to confirm.
Click OK.

Windows 95/98/98SE
===============

Open My Computer.
Select the View
Select the Folder Options option.
Select the View tab. option.
Select the Advance Advanced settings box option.
Select the Hidden files folder.
Deselect the Show all files option
Click Apply to confirm.
Click OK.

Create a new System Restore point

Windows XP
===============

Click Start >> Run - type SYSDM.CPL & press Enter
Select the System Restore Tab
Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
Then untick the same checkbox & click OK
This deletes ALL restore points that had the infection and creates a clean one

Windows ME
===============

Click the Start tab.
Select the Settings option.
Select the Control Panel option.
Double Click the System icon Performance tab option.
Select File System
Select the Troubleshooting tab
Check the Disable System Restore box
Click Apply to confirm.
Click OK.

Reboot the PC and repeat the above procedure again
When you get to this option

Uncheck the Disable System Restore box

For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below.

Click the Start button.
Point to Programs, point to Accessories, point to System Tools, and then click System Restore.
Choose Create a restore point, and then click Next.
In the Restore point description box, type a name for your restore point, and then click Next.
Click OK

Enable Windows Auto Update

Go to Start>Run - type wuaucpl.cpl
Tick on the checkbox - "Keep my computer up to date"
Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
Click on "OK".

Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system.

Recommended Protection Programs

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
WinPatrol to monitor any changes that programs make to the registry.

If you do not have a firewall, here are 4 free ones available for personal use:

In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use:

In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place.

Please respond to this thread one more time so we can mark this thread as resolved.

**grassi** · 01-18-2006, 09:07 PM

Oh Crap I Was Suppose To Create A Restore Point But In Confusion With What I Have Going On And I Apologize I Went Back In Time, What Do I Do.....

Ried · 01-18-2006, 09:47 PM

Hello grassi,

Are you saying you actually did a System Restore to an earlier date just now? If so, click Start>All Programs>Accessories>System Restore. Click the circle that says 'Undo my last Restoration'.

**grassi** · 01-18-2006, 09:52 PM

im pretty sure reid how can i tell i was in a state of confusion. to be more specific than recent post, i followed your inst. under create a new sytem restore point .......Reboot the PC and repeat the above procedure again
When you get to this option
Uncheck the Disable System Restore box
..........................
Click the Start button.
Point to Programs, point to Accessories, point to System Tools, and then click System Restore.

......WELL from there i just hit next which was the option already checked which was "store my computer to an earlier time." just clicked next till it automatically rebooted then on reboot it said restoring system to an earlier time. Im sorry remember earlier when i said my girlfriend would flip about weatherbug and search assistant etc well she saw my posts and IT WAS ON. sorry i was trying to get through that last part. It was brutal over here boy whhoooow.

**grassi** · 01-18-2006, 10:55 PM

man i cant take it anymore. while i was waiting i decided to play a game enemy territory when not even two minutes into it, it crashed then screen went black with a pop up. It had a yellow yield symbol with an ! in the middle anyway it said "the vtdisp display has stopped working normally save your work and reboot the system to restore full display functionality. The next time you reboot machine a dialog will be displayed giving you an option to upload data about this failure to microsoft". which i did, and i have result page from problem minimized. here is a quick look.... An analyst at Microsoft has investigated this problem and determined that an unknown error occurred in ShopAtHomeSelect. This software was created by S3 Graphics Inc..i have been playing this game for a while now never any problems. this must be from past restore problem???

what do i do besides slow down

Ried · 01-18-2006, 11:17 PM

Yes, slow down a bit.

Did you follow my instructions to 'Undo the last System Restore'?

**grassi** · 01-19-2006, 05:10 AM

no because i wasnt even positive which one i hit. should i just rerun kaspersky and panda as instructed in begining of fix.

Ried · 01-19-2006, 05:41 AM

First, try to undo your last System Restore. Follow the instructions I gave you about 5 posts up.

If you can't undo the last Restore, then repeat Microbell's instructions in post #22 of this thread.

Then run a scan with Panda and post the results here along with a new HijackThis log.

**grassi** · 01-19-2006, 05:52 AM

hello ried and thank you. your a life saver. Im sure microbell is furious. okay i undid my last restore point should i rescan or follow microbells post #22 to make sure those problems are still gone. I promise not to be so careless next time for i had some sleep. Im trying to stay on my chair for you guys.

Ried · 01-19-2006, 06:22 AM

Let's just do the Panda scan for now so I can see where we're at here.

Post those results along with a new HijackThis log.

**grassi** · 01-19-2006, 07:36 AM

here is my panda scan log, as it found numerous spyware (more than the past scans with microbell)

Incident Status Location

Adware:adware/adwhere Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@belnk[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bravenet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ccbill[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cgi-bin[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@dist.belnk[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fortunecity[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@i.screensavers[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@rn11[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@statcounter[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.burstbeacon[1].txt
Potentially unwanted tool:Application/FunWeb Not disinfected C:\!KillBox\f3initialsetup1.0.0.15.inf
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@belnk[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bravenet[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ccbill[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cgi-bin[1].txt
Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cs.sexcounter[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@dist.belnk[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fortunecity[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@i.screensavers[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@rn11[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@statcounter[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.burstbeacon[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Owner\Desktop\emergency!!\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Owner\Desktop\emergency!!\smitRem.exe[Process.exe]
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
.......................................................................................................
Logfile of HijackThis v1.99.1
Scan saved at 9:33:39 AM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128469640765
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe (file missing)

i think its a mess???? how about you????

Ried · 01-19-2006, 08:00 AM

Not a mess at all--you're in great shape.

Panda is only reporting cookies present on your system--which will always accumulate when you browse the internet. Open Internet Explorer, click on Tools>Internet Options>then click on the button that says 'delete cookies'.

The other entries are the tool we used to clean your system previously, and one of Hewlett Packards files--they are nothing to worry about.

Now, let's clear out those previous restore points so we don't have to go through this again.

Take your time in performing this step. Just do exactly what what I have listed here:

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK A new restore point will be created automatically at this time.

This will prevent any reinfection from previous restore points.

You're good to go now grassi. You have the programs necessary to protect yourself pretty well. Use them!

Scan with AdAware and Spybot weekly and let those programs do the fixing of anything found--that's what they're designed for. Make sure you update the definitions file of both of those regularly. The same applies to your Anti-Virus program--keep the definitions data base updated and perform regular scans.

Perform online scans periodically as well. Take the time to look through the report before getting nervous about any findings. In the future, you'll only need a review by us if there is anything in those reports other than cookies, or the tools we've used (smitRem.exe).

For a general checkup, I would suggest posting a HijackThis log, along with any Panda scan results--roughly once a month (for your peace of mind

)

01-16-2006, 09:12 PM	#21 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	what am i suppose to do with KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip run or save???? i did however get to delete HKEY_CLASSES_ROOT\CLSID\{147A976E-EEE1-4377-8EA7-4716E4CDD239} and gave me a default one? Also i Clicked START>>RUN. Type in the following command: regsvr32 /u occache.dll and it gave me a little pop up window from reg svr32 saying dll unregistered server in occache.dll succeeded. Is this right so far?? Last edited by grassi; 01-16-2006 at 09:32 PM.

01-17-2006, 01:43 AM	#22 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Yes thats what was supposed to happen. As for the KILLBOX instructions...they are quite clear. Run Killbox Paste this entry into the main box... C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf Checkmark the "Delete On Reboot" and "Unregister DLL" boxs..then hit the RED X. It will asked you to reboot. Do so. Then follow through with the rest. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

01-17-2006, 05:58 AM	#23 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	"Delete On Reboot" was there and "Unregister DLL" boxs.. was not. panda scan will be here shortly but i have to tell ya Its looking worse instead of 1spyware and 6 hackers (post#13) now there is 6 spyware and 4 hackers so far. Last edited by grassi; 01-17-2006 at 06:25 AM.

01-17-2006, 06:55 AM	#24 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	think this might be better microbell it looks like its gone just want to make sure before re registering dll. Also please note your directions are very clear, im just learnin. Also apologize for any newbish questions. but heres one in my computer c:\ i have an old file its a red circle with white x through it. i believe its an old kill box file the date december 22 thats the date of old smittfraud variant. can i delete along with another folder that is labeled !killbox it contains the f3initial set up, (when i place my cusrsor over this folder). also in properties for this folder it contains 2 files 1 folder?? At the end of course, just to keep on top of everything and clean?? Incident Status Location Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[1].txt Potentially unwanted tool:Application/FunWeb Not disinfected C:\!KillBox\f3initialsetup1.0.0.15.inf Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Owner\Desktop\emergency!!\smitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Owner\Desktop\emergency!!\smitRem.exe[Process.exe] Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe Last edited by grassi; 01-17-2006 at 07:09 AM.

01-18-2006, 05:07 AM	#25 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	also can i repeat my steps and start this fix over i already typed regsvr32 occache.dll and deleted that regedit number. can i be sure everything is done together again???ankotherwords do this over all in one shot. Now that i got the newbish part out of it. also movin this thread up. Last edited by grassi; 01-18-2006 at 05:11 AM.

01-18-2006, 01:10 PM	#26 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	There's no need to start over. The files are gone. C:\!KillBox <--delete that folder. It's just a KILLBOX backup folder. The rest of the entrys that Panda picked up are of no concern. They are just cookies and some of the exe's for the tools we used. Post another Hijackthis log and the log from the scan below and let me know how things are running. Perform an online scan with Internet Explorer with Kaspersky WebScanner Next Click on Launch Kaspersky Anti-Virus Web Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Standard Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. Take note the names and locations of any file it detects but fails to clean. * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

01-18-2006, 02:27 PM	#27 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	okay microbell thanks again for everything i know im a pain in the @#$, my ears are ringing over here But appreciate all you guys have done. I said to tetonbob he will here from me with a donation as i say to you its tight right now but my donation will see you soon oh yeah this is hjt my version however did not come up V1.99.1 just to make sure?????? Scan saved at 4:19:23 PM, on 1/18/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ps2.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128469640765 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe (file missing) KASPERSKY ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Wednesday, January 18, 2006 16:17:58 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 18/01/2006 Kaspersky Anti-Virus database records: 161305 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ E:\ F:\ G:\ H:\ I:\ Scan Statistics: Total number of scanned objects: 62055 Number of viruses found: 0 Number of infected objects: 0 Number of suspicious objects: 0 Duration of the scan process: 2849 sec No malware has been detected. The sections that have been scanned are CLEAN. Scan process completed.

01-18-2006, 05:21 PM	#28 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	also this new killbox with f3 initial setup in c:/, may i delete along with any findings of kill box or kaspersky from clicking on start then search??? Is this a good way to remove unneeded stuff such as these 2 (i dont think i need these things lurking)??? oh yeah, i uninstalled cc cleaner, because i thought this brought back those search findings of weatherbug. so i guess ill do the same (search option to delete) and delete any findings? Thanks again. Last edited by grassi; 01-18-2006 at 05:25 PM.

01-18-2006, 07:11 PM	#29 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,963 OS: Windows 7	Yes you can delete those tools if you like. Your logs are clean. Any more issues? If not you should be good to go. We still have a few more items to address so please follow the instructions below. Reset hidden/system files and folders Windows XP =============== Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide file extensions for known types option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Windows 2000 =============== Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Select the Advanced settings box option. Select the Hidden files Folders. Deselect the Show all files option. Click Yes to confirm. Click OK. Windows ME =============== Open My Computer. Select the Tools menu and click Folder Options. Select the View tab. Deselect the Show hidden files and folders option. Select the Hide protected operating system files option. Click Yes to confirm. Click OK. Windows 95/98/98SE =============== Open My Computer. Select the View Select the Folder Options option. Select the View tab. option. Select the Advance Advanced settings box option. Select the Hidden files folder. Deselect the Show all files option Click Apply to confirm. Click OK. Create a new System Restore point Windows XP =============== Click Start >> Run - type SYSDM.CPL & press Enter Select the System Restore Tab Tick on the checkbox - "Turn off System Restore on all drives" Click Apply Then untick the same checkbox & click OK This deletes ALL restore points that had the infection and creates a clean one Windows ME =============== Click the Start tab. Select the Settings option. Select the Control Panel option. Double Click the System icon Performance tab option. Select File System Select the Troubleshooting tab Check the Disable System Restore box Click Apply to confirm. Click OK. Reboot the PC and repeat the above procedure again When you get to this option Uncheck the Disable System Restore box For Windows ME..we MUST create a new restore point now as Windows ME will not create one automatically until the computer has been on for 10 hours or 24 hours has passed. To create a new restore point follow the procedure below. Click the Start button. Point to Programs, point to Accessories, point to System Tools, and then click System Restore. Choose Create a restore point, and then click Next. In the Restore point description box, type a name for your restore point, and then click Next. Click OK Enable Windows Auto Update Go to Start>Run - type wuaucpl.cpl Tick on the checkbox - "Keep my computer up to date" Under settings, choose "Automatically download the updates, and install them on the schedule that I specify". Click on "OK". Please visit Microsoft's Window's Update Page and install the latest service packs, patch’s and security updates for your system. Recommended Protection Programs Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs: SpywareBlaster to help prevent spyware from installing in the first place. SpywareGuard to catch and block spyware before it can execute. IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email. WinPatrol to monitor any changes that programs make to the registry. If you do not have a firewall, here are 4 free ones available for personal use: ZoneAlarm Avast Antivirus/firewall Tiny Personal Firewall OutPost Firewall In today’s world you MUST have an Antivirus program. If you do not have one, here are 3 FREE ones available for personal use: Grisoft AVG Anti-Virus System Alwil Avast 4 Home Edition Softwin BitDefender Free Edition Version 8 In light of your recent issue, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles HOW DID I GET INFECTED IN THE FIRST PLACE? THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Please stay safe out there and take the helpful advice that’s been given. The goal here is to prevent the adware/spyware/virus/worms from getting on the system in the first place. Please respond to this thread one more time so we can mark this thread as resolved. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

01-18-2006, 09:07 PM	#30 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	Oh Crap I Was Suppose To Create A Restore Point But In Confusion With What I Have Going On And I Apologize I Went Back In Time, What Do I Do..... Last edited by grassi; 01-18-2006 at 09:23 PM.

01-18-2006, 09:47 PM	#31 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,557 OS: WinXP and Vista	Hello grassi, Are you saying you actually did a System Restore to an earlier date just now? If so, click Start>All Programs>Accessories>System Restore. Click the circle that says 'Undo my last Restoration'. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-18-2006, 09:52 PM	#32 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	im pretty sure reid how can i tell i was in a state of confusion. to be more specific than recent post, i followed your inst. under create a new sytem restore point .......Reboot the PC and repeat the above procedure again When you get to this option Uncheck the Disable System Restore box .......................... Click the Start button. Point to Programs, point to Accessories, point to System Tools, and then click System Restore. ......WELL from there i just hit next which was the option already checked which was "store my computer to an earlier time." just clicked next till it automatically rebooted then on reboot it said restoring system to an earlier time. Im sorry remember earlier when i said my girlfriend would flip about weatherbug and search assistant etc well she saw my posts and IT WAS ON. sorry i was trying to get through that last part. It was brutal over here boy whhoooow. Last edited by grassi; 01-18-2006 at 10:03 PM.

01-18-2006, 10:55 PM	#33 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	man i cant take it anymore. while i was waiting i decided to play a game enemy territory when not even two minutes into it, it crashed then screen went black with a pop up. It had a yellow yield symbol with an ! in the middle anyway it said "the vtdisp display has stopped working normally save your work and reboot the system to restore full display functionality. The next time you reboot machine a dialog will be displayed giving you an option to upload data about this failure to microsoft". which i did, and i have result page from problem minimized. here is a quick look.... An analyst at Microsoft has investigated this problem and determined that an unknown error occurred in ShopAtHomeSelect. This software was created by S3 Graphics Inc..i have been playing this game for a while now never any problems. this must be from past restore problem??? what do i do besides slow down Last edited by grassi; 01-18-2006 at 11:02 PM.

01-18-2006, 11:17 PM	#34 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,557 OS: WinXP and Vista	Yes, slow down a bit. Did you follow my instructions to 'Undo the last System Restore'? __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-19-2006, 05:10 AM	#35 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	no because i wasnt even positive which one i hit. should i just rerun kaspersky and panda as instructed in begining of fix. Last edited by grassi; 01-19-2006 at 05:27 AM.

01-19-2006, 05:41 AM	#36 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,557 OS: WinXP and Vista	First, try to undo your last System Restore. Follow the instructions I gave you about 5 posts up. If you can't undo the last Restore, then repeat Microbell's instructions in post #22 of this thread. Then run a scan with Panda and post the results here along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-19-2006, 05:52 AM	#37 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	hello ried and thank you. your a life saver. Im sure microbell is furious. okay i undid my last restore point should i rescan or follow microbells post #22 to make sure those problems are still gone. I promise not to be so careless next time for i had some sleep. Im trying to stay on my chair for you guys. Last edited by grassi; 01-19-2006 at 05:53 AM.

01-19-2006, 06:22 AM	#38 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,557 OS: WinXP and Vista	Let's just do the Panda scan for now so I can see where we're at here. Post those results along with a new HijackThis log. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

01-19-2006, 07:36 AM	#39 (permalink)
grassi TSF Enthusiast Join Date: Dec 2005 Location: upstate, n.y. Posts: 935 OS: xp pro, sp3 My System	thanks ried here is my panda scan log, as it found numerous spyware (more than the past scans with microbell) Incident Status Location Adware:adware/adwhere Not disinfected Windows Registry Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@belnk[2].txt Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bravenet[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ccbill[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cgi-bin[1].txt Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cs.sexcounter[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@dist.belnk[2].txt Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fortunecity[1].txt Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@i.screensavers[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[2].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@rn11[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@statcounter[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.burstbeacon[1].txt Potentially unwanted tool:Application/FunWeb Not disinfected C:\!KillBox\f3initialsetup1.0.0.15.inf Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@belnk[2].txt Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@bravenet[1].txt Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ccbill[1].txt Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cgi-bin[1].txt Spyware:Cookie/cs.sexcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cs.sexcounter[2].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@dist.belnk[2].txt Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fortunecity[1].txt Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@i.screensavers[1].txt Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@realmedia[2].txt Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@rn11[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@statcounter[1].txt Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.burstbeacon[1].txt Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Owner\Desktop\emergency!!\smitRem\Process.exe Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\HP_Owner\Desktop\emergency!!\smitRem.exe[Process.exe] Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe ....................................................................................................... Logfile of HijackThis v1.99.1 Scan saved at 9:33:39 AM, on 1/19/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\Program Files\ewido\security suite\ewidoctrl.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe C:\windows\system\hpsysdrv.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ps2.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\Explorer.EXE C:\Program Files\HijackThis\HijackThis.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1128469640765 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe (file missing) i think its a mess???? how about you????

01-19-2006, 08:00 AM	#40 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 26,557 OS: WinXP and Vista	Not a mess at all--you're in great shape. Panda is only reporting cookies present on your system--which will always accumulate when you browse the internet. Open Internet Explorer, click on Tools>Internet Options>then click on the button that says 'delete cookies'. The other entries are the tool we used to clean your system previously, and one of Hewlett Packards files--they are nothing to worry about. Now, let's clear out those previous restore points so we don't have to go through this again. Take your time in performing this step. Just do exactly what what I have listed here: Create a new System Restore point Click Start >> Run - type SYSDM.CPL & press Enter * Select the System Restore Tab * Tick on the checkbox - "Turn off System Restore on all drives" Click Apply * Then untick the same checkbox & click OK A new restore point will be created automatically at this time. This will prevent any reinfection from previous restore points. You're good to go now grassi. You have the programs necessary to protect yourself pretty well. Use them! Scan with AdAware and Spybot weekly and let those programs do the fixing of anything found--that's what they're designed for. Make sure you update the definitions file of both of those regularly. The same applies to your Anti-Virus program--keep the definitions data base updated and perform regular scans. Perform online scans periodically as well. Take the time to look through the report before getting nervous about any findings. In the future, you'll only need a review by us if there is anything in those reports other than cookies, or the tools we've used (smitRem.exe). For a general checkup, I would suggest posting a HijackThis log, along with any Panda scan results--roughly once a month (for your peace of mind ) __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."