mfisher Posted February 18, 2006 Report Share Posted February 18, 2006 Hi,I've never done this before so I hope I'm in the right place. I'm yet another person trying to remove sweepstakes.com wih no luck so far. I have run HiJackThis and the log file is below. Can anyone help??? I'm desparate!Logfile of HijackThis v1.99.1Scan saved at 12:39:56 PM, on 18/02/2006Platform: Windows 2000 SP3 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\System32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\WINNT\Explorer.EXEC:\Program Files\Analog Devices\SoundMAX\Smtray.exeC:\Program Files\NavNT\vptray.exeC:\winnt\system32\xau.exeC:\PROGRA~1\BUTTER~1\BO1HEL~1.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXEC:\program files\common files\system\ms1src.exeC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\winnt\system32\owsyphaq.exeC:\Program Files\Microsoft ActiveSync\WCESCOMM.EXEC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPTF3 - REG:win.ini: run=c:\winnt\system32\cddrv32.exeO2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINNT\mslagent\4b_1,0,1,2_mslagent.dll (file missing)O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: (no name) - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exeO4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [xau] c:\winnt\system32\xau.exe /nocommO4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exeO4 - HKLM\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exeO4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /installO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [OWSYPHAQ] c:\winnt\system32\owsyphaq.exe /installO4 - HKCU\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ervice_3_EN.cabO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cabO16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ACCESS_1056.cabO16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dllO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeThanks.... Link to post Share on other sites
Dan Posted February 19, 2006 Report Share Posted February 19, 2006 Hi,Please download the Blaster.C removal tool from here, and save it to your desktop.Close all windows and run "FixBlast.exe".Click the "Start" button and let the tool run.Reboot, and run the tool again. Download Brute Force Uninstaller.Unzip it to it’s own folder (e.g. c:\BFU)RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download EGDACCESS Remover. Save it in the folder you made earlier (e.g. c:\BFU)Copy the text below into notepad and save it to the desktop as findEGDA.vbsMake sure "Save as Type" says "All files (*.*)"Dim Wshshell, fso ,ts , R, ArrR ,iConst ForReading = 1Set Wshshell = Wscript.CreateObject("Wscript.Shell")Set fso = Wscript.CreateObject("Scripting.FilesystemObject")Wshshell.run "regedit /a /e runnow.txt HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"Do until fso.FileExists("runnow.txt")Wscript.sleep 100LoopSet ts = fso.OpenTextFile("runnow.txt" ,ForReading)Do while not ts.AtEndOfStreamR = ts.Readallloopts.closeR = Replace(R, "\\", "\")R = Replace(R, Chr(34), "")ArrR = Split(R,vbcrlf)For i = 0 to Ubound(ArrR) F = Lcase(right(ArrR(i),6)) If F = "-start" Then ArrR(i) = Replace(arrR(i), "-start" , "-uninstall") ArrR(i) = Mid(ArrR(i),Instr(ArrR(i),"=") + 1) MsgBox ArrR(i) Wshshell.Run ArrR(i) End IFNextSet ts = nothingSet fso = nothingset wshshell = nothingGo to the desktop and double-click the file to run it. If you have a resident script blocker it may warn you about or stop the vbs script. Please allow it, it is harmless.You will get a prompt looking like thisc:\windows\system32\random.exe -uninstallClick OK to execute that command.You will be prompted if you are sure you want to uninstall. Confirm.After a little while you will get a prompt the application was removed.Start the Brute Force Uninstaller by doubleclicking BFU.exeIn the scriptline to execute copy and paste c:\bfu\EGDACCESS.bfuPress execute and let it do it’s job.Wait for the complete script execution box to popup and press OK.Press exit to terminate the BFU program.Reboot and post a new HijackThis log.Danny Link to post Share on other sites
mfisher Posted February 21, 2006 Author Report Share Posted February 21, 2006 Hi Danny,Thanks for your quick reply. I followed your instructions but when I ran the vbs script it didn't give me the prompts you talked about. All I could see it do was create a file on the desktop called runnow.txt which I have pasted below.Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"Synchronization Manager"="mobsync.exe /logon""NvCplDaemon"="RUNDLL32.EXE NvQTwk,NvCplDaemon initialize""nwiz"="nwiz.exe /install""Smapp"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smtray.exe""vptray"="C:\\Program Files\\NavNT\\vptray.exe""xau"="c:\\winnt\\system32\\xau.exe /nocomm""DSLAGENTEXE"="C:\\Program Files\\AAPT\\Adsl\\dslagent.exe""Cddrv32"="c:\\winnt\\system32\\cddrv32.exe""BO1HelperStartUp"="C:\\PROGRA~1\\BUTTER~1\\BO1HEL~1.EXE /partner BO1""iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe""QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime""AQ3HelperStartUp"="C:\\PROGRA~1\\AQUATI~1\\AQ3HEL~1.EXE /partner AQ3""ms1src"="c:\\program files\\common files\\system\\ms1src.exe /install""gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\"""OWSYPHAQ"="c:\\winnt\\system32\\owsyphaq.exe /install"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]"Installed"="1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]"NoChange"="1""Installed"="1"[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]"Installed"="1"Anyhoo I pressed on with your instructions and got the following HiJackThis log.Logfile of HijackThis v1.99.1Scan saved at 06:58:43 PM, on 21/02/2006Platform: Windows 2000 SP3 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\System32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\WINNT\Explorer.EXEC:\Program Files\Analog Devices\SoundMAX\Smtray.exeC:\Program Files\NavNT\vptray.exeC:\winnt\system32\xau.exeC:\PROGRA~1\BUTTER~1\BO1HEL~1.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXEC:\Program Files\iPod\bin\iPodService.exeC:\program files\common files\system\ms1src.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Microsoft ActiveSync\WCESCOMM.EXEC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPTF3 - REG:win.ini: run=c:\winnt\system32\cddrv32.exeO2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINNT\mslagent\4b_1,0,1,2_mslagent.dll (file missing)O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dllO2 - BHO: (no name) - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [xau] c:\winnt\system32\xau.exe /nocommO4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exeO4 - HKLM\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exeO4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /installO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [OWSYPHAQ] c:\winnt\system32\owsyphaq.exe /installO4 - HKCU\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exeO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.htmlO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/O16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ervice_3_EN.cabO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cabO16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ACCESS_1056.cabO16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dllO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeWhat now? Thanks again for your help - I really appreciate it. Link to post Share on other sites
Dan Posted February 22, 2006 Report Share Posted February 22, 2006 Hi,Please download the Killbox by Option^Explicit.Note:In the event you already have Killbox, this is a new version that I need you to download. Save it to your desktop. Please double-click Killbox.exe to run it. Select "Delete on Reboot then Click on the "All Files" button.[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + Cc:\winnt\system32\xau.exe c:\winnt\system32\cddrv32.exec:\program files\common files\system\ms1src.exe c:\winnt\system32\owsyphaq.exe [*] Return to Killbox, go to the File menu, and choose "Paste from Clipboard".[*]Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "OK" at any PendingRenameOperations prompt.If your computer does not restart automatically, please restart it manually.Please run HijackThis and click "Scan." Place checks next to the following entries (If Present):F3 - REG:win.ini: run=c:\winnt\system32\cddrv32.exeO2 - BHO: (no name) - {008DB894-99ED-445D-8547-0E7C9808898D} - C:\WINNT\mslagent\4b_1,0,1,2_mslagent.dll (file missing)O2 - BHO: (no name) - {E539DEA3-BA67-4F1F-A897-5F2F4F29A063} - (no file)O4 - HKLM\..\Run: [xau] c:\winnt\system32\xau.exe /nocommO4 - HKLM\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exeO4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /installO4 - HKLM\..\Run: [OWSYPHAQ] c:\winnt\system32\owsyphaq.exe /installO4 - HKCU\..\Run: [Cddrv32] c:\winnt\system32\cddrv32.exeO16 - DPF: {14325268-79E0-4D2A-89A4-FFFC6E22741E} - http://akamai.downloadv3.com/binaries/Live...ervice_3_EN.cabO16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...etup1.0.0.6.cabO16 - DPF: {3446598E-00E4-4B5E-99A6-87ECCA8324A2} - http://akamai.downloadv3.com/binaries/EGDA...ACCESS_1056.cabClose all windows browsers except HijackThis, and click the "Fix Checked" button. Close HijackThis.Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan reportReboot and post a new HijackThis log as well as the ActiveScan Report.Danny Link to post Share on other sites
mfisher Posted March 1, 2006 Author Report Share Posted March 1, 2006 Hi Danny,Here are the log files you requested. Thanks again for all your help.Cheers,MattLogfile of HijackThis v1.99.1Scan saved at 07:40:46 PM, on 01/03/2006Platform: Windows 2000 SP3 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\System32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\MsgSys.EXEC:\Program Files\Analog Devices\SoundMAX\Smtray.exeC:\Program Files\NavNT\vptray.exeC:\PROGRA~1\BUTTER~1\BO1HEL~1.EXEC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXEC:\Program Files\iPod\bin\iPodService.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\program files\common files\system\ms1src.exeC:\Program Files\Microsoft ActiveSync\WCESCOMM.EXEC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPTO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exeO4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /installO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dllO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exeIncident Status Location Adware:Adware/Gator Not disinfected C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE Adware:Adware/Gator Not disinfected C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE Spyware:Spyware/Dluca Not disinfected C:\program files\common files\system\ms1src.exe Adware:Adware/Gator Not disinfected C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE Adware:Adware/Gator Not disinfected C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE Adware:adware/navipromo Not disinfected C:\WINNT\SYSTEM32\Mservice.dll Adware:adware/dluxde Not disinfected C:\PROGRAM FILES\linksw Potentially unwanted tool:application/regclean32 Not disinfected C:\PROGRAM FILES\Registry Cleaner Trial Adware:adware/gator Not disinfected C:\PROGRAM FILES\COMMON FILES\GMT Spyware:spyware/dluca Not disinfected Windows Registry Potentially unwanted tool:application/mywebsearch Not disinfected HKEY_CLASSES_ROOT\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} Dialer:dialer.b Not disinfected HKEY_CLASSES_ROOT\Interface\{F8ACA5A0-060A-478A-8368-1407780D2251} Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@apmebf[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@atdmt[2].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@qksrv[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@statcounter[1].txt Spyware:Spyware/Dluca Not disinfected C:\!KillBox\ms1src.exe Possible Virus. Not disinfected C:\!KillBox\xau.exe Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Administrator\Cookies\[email protected][2].txt Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@apmebf[1].txt Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@atdmt[2].txt Spyware:Cookie/QkSrv Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@qksrv[2].txt Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Administrator\Cookies\scottg@statcounter[1].txt Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\Cookies\scottg@belnk[2].txt Dialer:Dialer.Gen Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\dia6.exe Dialer:Dialer.CE Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ICD1.tmp\netslv32.inf Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_124.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_208.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_21C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_26C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_384.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_398.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3B0.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3C8.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3D4.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3EC.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3F0.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_3F8.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_418.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_424.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_444.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_45C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_464.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_470.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_478.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_484.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_488.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_504.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_50C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_510.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_514.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_518.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_51C.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_528.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_52C.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_534.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_538.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_53C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_540.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_544.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_548.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_54C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_550.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_554.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_558.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_55C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_560.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_564.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_568.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_56C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_570.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_574.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_578.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_57C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_580.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_584.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_588.tmp Adware:Adware/SafeSearch Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_58C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_590.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_594.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_598.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_59C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5A4.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5A8.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5AC.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5B0.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5B4.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5B8.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5BC.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5C0.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5C8.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5CC.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5D4.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5D8.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_5E8.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_608.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_60C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\lf_62C.tmp Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\ss596.exe Spyware:Spyware/Dluca Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\wnk8cf.exe Possible Virus. Not disinfected C:\Documents and Settings\Administrator\My Documents\Merrijig\blondes_au.exe Adware:Adware/SLAgent Not disinfected C:\HJT\backups\backup-20060301-182840-992.dll Potentially unwanted tool:Application/FunWeb Not disinfected C:\HJT\backups\backup-20060301-182841-421.inf Adware:Adware/Gator Not disinfected C:\Program Files\Aquatica Waterworlds\AQ3Helper.exe Adware:Adware/Gator Not disinfected C:\Program Files\Butterfly Oasis Screensaver\BO1Helper.exe Adware:Adware/Gator Not disinfected C:\Program Files\Butterfly Oasis Screensaver\BO1Uninstaller.exe Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\CMEIIAPI.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GAppMgr.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GController.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GDwldEng.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GIocl.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GIoclClient.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GMTProxy.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GObjs.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GStore.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\GStoreServer.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\CMEII\Gtools.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\dlaerhjl\drtanjneaj\tanpcalhl.exe Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\dlaerhjl\fjlalbaa\lcnbcbed.exe Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\EGGCEngine.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\egIEEngine.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\EGIEProcess.dll Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\GatorStubSetup.exe Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\GMT.exe Adware:Adware/Gator Not disinfected C:\Program Files\Common Files\GMT\gtrawbm.fil Spyware:Spyware/Dluca Not disinfected C:\Program Files\Common Files\System\ms1src.exe Adware:Adware/Gator Not disinfected C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\wclmaeyq.exe Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\xkaruswm.exe Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\xnsdbgke.exe Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\ycjeqxlk.exe Spyware:Spyware/Dluca Not disinfected C:\WINNT\system32\ydfyeoui.exe Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\yrgwzhrl.exe Virus:Trj/Downloader.gen Disinfected C:\WINNT\system32\zvfcerla.exe Link to post Share on other sites
Matt Posted March 9, 2006 Report Share Posted March 9, 2006 Hi Ineedsanswers, I will be taking over for Danny as he will be out for a few days. Sorry for the delay.Since it has been a while since your last post, lets run a few things.Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Please download ewido anti-malware it is a free version of the program.Install ewido anti-malwareWhen installing, under "Additional Options" uncheck..Install background guardInstall scan via context menu[*]Launch ewido, there should be an icon on your desktop, double-click it.[*]The program will now open to the main screen.[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.[*]You will need to update ewido to the latest definition files.On the left hand side of the main screen click update.Then click on Start Update.[*]The update will start and a progress bar will show the updates being installed.(the status bar at the bottom will display ("Update successful")If you are having problems with the updater, you can use this link to manually update ewido.ewido manual updatesOnce the updates are installed do the following:Click on scannerClick on Complete System Scan and the scan will begin.You will be prompted to clean the first infection.Select "Perform action on all infections", then proceed.Once the scan has completed, there will be a button located on the bottom of the screen named Save reportClick Save report.Save the report .txt file to your desktop or a location where you can find it easily.Close ewido anti-malware.Now, please reply back with the Ewido Report, and a new HJT log.Matt Link to post Share on other sites
mfisher Posted March 16, 2006 Author Report Share Posted March 16, 2006 Hi Matt,Thanks for taking over from Danny, I really appreciate it. What you got me to do seemed to solve the problem - for now anyway, but I'll post the logs in case there is anything else you think I should do. Things like this sometimes seem to re-appear.--------------------------------------------------------- ewido anti-malware - Scan report--------------------------------------------------------- + Created on: 06:59:16 PM, 16/03/2006 + Report-Checksum: 4823F11 + Scan result: HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring -> Adware.NaviPromo : Cleaned with backup HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring\CLSID -> Adware.NaviPromo : Cleaned with backup HKLM\SOFTWARE\Classes\NaviPromo.EGNaviScoring.1 -> Adware.NaviPromo : Cleaned with backup HKU\S-1-5-21-484763869-299502267-839522115-500\Software\PrimeSoft -> Adware.SafeSearch : Cleaned with backup HKU\S-1-5-21-484763869-299502267-839522115-500\Software\PrimeSoft\qsearch -> Adware.SafeSearch : Cleaned with backup [1284] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE -> Adware.Gator : Cleaned with backup [1360] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE -> Adware.Gator : Cleaned with backup C:\!KillBox\ms1src.exe -> Downloader.Dluca.ci : Cleaned with backup C:\HJT\backups\backup-20060301-182840-992.dll -> Downloader.Wintrim.ax : Cleaned with backup C:\Program Files\Aquatica Waterworlds\AQ3Helper.exe -> Adware.Gator : Cleaned with backup C:\Program Files\Butterfly Oasis Screensaver\BO1Helper.exe -> Adware.Gator : Cleaned with backup C:\Program Files\Butterfly Oasis Screensaver\BO1Uninstaller.exe -> Adware.Gator : Cleaned with backup C:\Program Files\Butterfly Oasis Screensaver\ButterflyOasis.exe -> Adware.GAINNetwork : Cleaned with backup C:\Program Files\Common Files\CMEII\CMEIIAPI.dll -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\CMEII\GAppMgr.dll -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\CMEII\GController.dll -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\CMEII\GDwldEng.dll -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\CMEII\GIoclClient.dll -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\CMEII\GMTProxy.dll -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\CMEII\GObjs.dll -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\dlaerhjl\drtanjneaj\tanpcalhl.exe -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\dlaerhjl\fjlalbaa\lcnbcbed.exe -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\GMT\EGIEProcess.dll -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\GMT\GatorStubSetup.exe -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\GMT\GMT.exe -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\GMT\gtrawbm.fil -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\GMT\GUninstaller.exe -> Adware.Gator : Cleaned with backup C:\Program Files\Common Files\System\ms1src.exe -> Downloader.Dluca.ci : Cleaned with backup C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup C:\WINNT\system32\ydfyeoui.exe -> Downloader.Dluca : Cleaned with backup::Report EndLogfile of HijackThis v1.99.1Scan saved at 07:06:33 PM, on 16/03/2006Platform: Windows 2000 SP3 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\System32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\MsgSys.EXEC:\WINNT\Explorer.EXEC:\Program Files\Analog Devices\SoundMAX\Smtray.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Microsoft ActiveSync\WCESCOMM.EXEC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\Program Files\iPod\bin\iPodService.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPTO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exeO4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /installO4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dllO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe Link to post Share on other sites
Matt Posted March 16, 2006 Report Share Posted March 16, 2006 Welcome back! You're almost clean, just a few things left to do. Scan with HJT and place a check next to the following items:O4 - HKLM\..\Run: [AQ3HelperStartUp] C:\PROGRA~1\AQUATI~1\AQ3HEL~1.EXE /partner AQ3O4 - HKLM\..\Run: [ms1src] c:\program files\common files\system\ms1src.exe /installThen, make sure all browser windows and other applications are closed, and click the Fix Checked button.Boot into Safe Mode:Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.Once in safe mode, find and delete the following folder:C:\PROGRA~1\AQUATI~1\Now, find and delete the following file:c:\program files\common files\system\ms1src.exeReboot your computer normally, recan with HJT, and post a new log. Link to post Share on other sites
Matt Posted March 30, 2006 Report Share Posted March 30, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Matt Posted April 4, 2006 Report Share Posted April 4, 2006 Reopened per User Request Link to post Share on other sites
mfisher Posted April 5, 2006 Author Report Share Posted April 5, 2006 Reopened per User RequestHi Matt,Thanks for re-opening this topic. There has been no re-occurance of the problem but I've followed your instructions (somewhat belatedly) as requested. However I was unable to remove the file c:\program files\common files\system\ms1src.exe as it didn't seem to exist. I did the rest of the stuff though no probs. Here is the latest HJT log:Logfile of HijackThis v1.99.1Scan saved at 07:49:55 PM, on 04/04/2006Platform: Windows 2000 SP3 (WinNT 5.00.2195)MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)Running processes:C:\WINNT\System32\smss.exeC:\WINNT\system32\winlogon.exeC:\WINNT\system32\services.exeC:\WINNT\system32\lsass.exeC:\WINNT\system32\svchost.exeC:\WINNT\system32\spoolsv.exeC:\Program Files\NavNT\defwatch.exeC:\WINNT\System32\svchost.exeC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\NavNT\rtvscan.exeC:\WINNT\System32\nvsvc32.exeC:\WINNT\system32\regsvc.exeC:\WINNT\system32\MSTask.exeC:\Program Files\Analog Devices\SoundMAX\SMAgent.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\system32\mspmspsv.exeC:\WINNT\system32\svchost.exeC:\WINNT\System32\WBEM\WinMgmt.exeC:\WINNT\Explorer.EXEC:\WINNT\system32\MsgSys.EXEC:\Program Files\Analog Devices\SoundMAX\Smtray.exeC:\Program Files\NavNT\vptray.exeC:\Program Files\iTunes\iTunesHelper.exeC:\Program Files\QuickTime\qttask.exeC:\Program Files\Microsoft AntiSpyware\gcasServ.exeC:\Program Files\Microsoft ActiveSync\WCESCOMM.EXEC:\Program Files\WinZip\WZQKPICK.EXEC:\Program Files\Microsoft AntiSpyware\gcasDtServ.exeC:\HJT\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aapt.net.au/R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AAPTO2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dllO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dllO3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_1.dllO3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocxO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dllO4 - HKLM\..\Run: [synchronization Manager] mobsync.exe /logonO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [nwiz] nwiz.exe /installO4 - HKLM\..\Run: [smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exeO4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exeO4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\AAPT\Adsl\dslagent.exeO4 - HKLM\..\Run: [bO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exeO4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottimeO4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXEO4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXEO8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.htmlO8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.htmlO8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.htmlO8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.htmlO8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.htmlO8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.htmlO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dllO12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO14 - IERESET.INF: START_PAGE_URL=http://www.aapt.net.au/O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - https://delphiplus.ap.joneslanglasalle.com/...plus/msddsc.cabO16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cabO20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dllO20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dllO23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exeO23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exeO23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe Link to post Share on other sites
Matt Posted April 5, 2006 Report Share Posted April 5, 2006 Congrats! Your log is clean! The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.Firefox- Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox, however Opera is good as well.Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.SpywareBlaster - Great prevention tool to keep malware from installing on your system.SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.ATF Cleaner - Cleans temporary files from web browsers, and much more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein and this guide on safer computing. Link to post Share on other sites
mfisher Posted April 7, 2006 Author Report Share Posted April 7, 2006 Thanks for all your help Matt, the computer is now so much easier to use. I'll pass on your suggestions to the main users of the computer and hopefully nothing like this happens again.Cheers! Link to post Share on other sites
Matt Posted April 7, 2006 Report Share Posted April 7, 2006 Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic. Link to post Share on other sites
Recommended Posts