heydc Posted May 19, 2006 Report Share Posted May 19, 2006 Logfile of HijackThis v1.99.1Scan saved at 9:23:40 PM, on 5/18/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeC:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeC:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeC:\WINDOWS\System32\drivers\CDAC11BA.EXEC:\Program Files\ewido anti-malware\ewidoctrl.exeC:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exeC:\WINDOWS\System32\mgabg.exeC:\Program Files\Norton AntiVirus\navapsvc.exeC:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeC:\WINDOWS\System32\nvsvc32.exeC:\WINDOWS\system32\RioMSC.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeC:\WINDOWS\System32\MsPMSPSv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\System32\Fast.exeC:\windows\system\hpsysdrv.exeC:\HP\KBD\KBD.EXEC:\WINDOWS\System32\PDesk\PDesk.exeC:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exeC:\WINDOWS\System32\taskswitch.exeC:\WINDOWS\System32\fast.exeC:\Program Files\Logitech\iTouch\iTouch.exeC:\WINDOWS\system32\devldr32.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\WINDOWS\System32\svchost.exeC:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exeC:\Program Files\Common Files\Symantec Shared\ccApp.exeC:\SCANJET\PrecisionScanPro\HPLamp.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exeC:\WINDOWS\system32\msiexec.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\wuauclt.exeC:\Installation Files\Spy Ware\hijack this\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dllO4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exeO4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXEO4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXEO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initializeO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exeO4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exeO4 - HKLM\..\Run: [updReg] C:\WINDOWS\Updreg.exeO4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive2k\Program\AHQInit.exeO4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\System32\PDesk\PDesk.exe /AutolaunchO4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exeO4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exeO4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exeO4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exeO4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exeO4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.ExeO4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osbootO4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exeO4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /ConsumerO4 - HKLM\..\Run: [HPGamesActiveMenu] C:\Program Files\WildTangent\ActiveMenu\HP\Games\ActiveMenu.exeO4 - HKLM\..\Run: [HP Lamp] C:\SCANJET\PrecisionScanPro\HPLamp.exeO4 - HKLM\..\Run: [ms2src] c:\program files\common files\system\ms2src.exe /installO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\Run: [MoneyStartUp] C:\Program Files\Microsoft Money\System\Money Startup.exeO4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBootO4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Global Startup: APC UPS Status.lnk = ?O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exeO4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXEO4 - Global Startup: Quicken Scheduled Updates.lnk = C:\QUICKEN2004\bagent.exeO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dllO9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exeO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dllO12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dllO12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dllO23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeO23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exeO23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXEO23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeO23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exeO23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeO23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exeO23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXEO23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exeO23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exeO23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exeO23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\system32\RioMSC.exeO23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exeO23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exeO23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exeO23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exeO23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exeO23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Link to post Share on other sites
jwbirdsong Posted May 23, 2006 Report Share Posted May 23, 2006 First of all, you will need to print out this post and/or save a copy as a text file in Notepad; that way you have a hard copy of these instructions; you can not have IE/Firefox/any browser open during the fixPlease download Ewido Anti Malware, it is a free version of the program. Install ewido security suite When installing the program, under "Additonal Options" uncheck... Install background guard Install scan via context menu[*] Launch ewido, there should now be an icon on your desktop, double-click it.[*] The program will now open to the main screen.[*] When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.[*] You will need to update ewido to the latest definition files: On the left hand side of the main screen click update. Then click on Start Update.[*] The update will start and a progress bar will show the updates being installed. (the status bar at the bottom will display "Update successful")[*] Close Ewido If you are having problems with the updater, you can use this link to manually update ewido.Ewido manual updatesPlease run HijackThis and click "Scan." Place checks next to the following entries:O4 - HKLM\..\Run: [ms2src] c:\program files\common files\system\ms2src.exe /installClose all browser and other windows except for HijackThis, and click "Fix Checked". Next, please reboot your computer in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode.For additional help in booting into Safe Mode, see the following site:http://www.pchell.com/support/safemode.shtmlStart Ewido Anti-Malware Click on scanner. (Note: Do not start any programs or open any windows while Ewido is scanning) Click on Complete System Scan, the scan will now begin. While the scan is in progress you will be promted to clean files, click OK. When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says "Perform action on all infections", then choose clean and click OK. Once the scan has completed, there will be a button located at the bottom of the screen named Save Report. Click Save Report. Now save the report .txt file to your desktop. Close EwidoWhen Ewido is finished scanning; reboot back to normal mode and run this online virus scan:(MUST use IE) ActiveScan Once you are on the Panda site click the Scan your PC button A new window will open...click the Check Now button- Enter your Country- Enter your State/Province- Enter your e-mail address and click send(*NOTE it's perfectly safe to do so..You will NOT be spammed from this)- Select either Home User or Company Click the big Scan Now buttonIf/when you get a notice that Panda wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on Local Disks to start the scanWhen the scan completes, if anything is detected, click the See Report button, then Save Report and save it to a convenient location like your desktop..Post The Ewido log A new HijackThis logPanda results in your next reply here. Link to post Share on other sites
heydc Posted May 24, 2006 Author Report Share Posted May 24, 2006 Here are the requested files. I could not run Panda - See error.Ewido_Scan_report_June_23.txtPanda_Scan.doc05_24_hijackthis_log.txtEwido_Scan_report_June_23.txtPanda_Scan.doc05_24_hijackthis_log.txt Link to post Share on other sites
jwbirdsong Posted May 24, 2006 Report Share Posted May 24, 2006 Would you try this one instead then pleasePlease perform this online scan: Kaspersky Webscan0. Make sure to click button for ONLINE SCANNER and NOT File scanner1. Read the Requirements and Privacy statement, then select "Accept"2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"5. When the download is complete it will say ready, click "Next"6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"7. Select a target to scan: Click on "My Computer"8. When the scan is complete choose to save the results as "Save as Text"9. Post the Kaspersky scan results in your next reply together with a new hijackthislog. Link to post Share on other sites
heydc Posted May 28, 2006 Author Report Share Posted May 28, 2006 Here is the Kaspersky Scan results06_28_Kaspersky_Scan.txt Link to post Share on other sites
jwbirdsong Posted May 28, 2006 Report Share Posted May 28, 2006 Download KillBox http://www.downloads.subratam.org/KillBox.zip. Place it in a folder on your Desktop.Help with unzipping files is HERE In the main screen of Pocket KillBox, go to Tools in the top menu bar, and select: Delete Temp Files. Use the drop down box and clear ALL profiles this way.Back at the main Killbox screen check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Click the button marked ALL FILES(lower right of Killbox) Left click and drag cursor to hilight ALL files listed in the quote box below, right click and choose copy click. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:C:\Program Files\CrazyMates\KeenValueInstall.exeC:\WINDOWS\celebri[1].exeC:\WINDOWS\glam[1].exeC:\WINDOWS\vip[1].exeC:\Documents and Settings\Dave2\Application Data\Mozilla\Firefox\Profiles\nwdtkl5c.default\Cache\A30EF4A0d01C:\Documents and Settings\Amy\Local Settings\Temp\lf_B68.tmpC:\Documents and Settings\Dave2\Local Settings\Temp\lf_174.tmpC:\Documents and Settings\Dave2\Local Settings\Temp\lf_948.tmp:\Documents and Settings\Dave2\Local Settings\Temp\lf_DA4.tmpC:\Documents and Settings\Dave2\Local Settings\Temp\lf_DE8.tmpC:\Documents and Settings\Dave2\Local Settings\Temp\lf_F7C.tmpC:\Documents and Settings\Dave2\Local Settings\Temp\lf_FF8.tmpIf you get a PendingOperations message, ignore/close it and restart your computer manually.After reboot spend a little time browsing and then post a current HijackThis and any comments/concerns on how the computer is running Link to post Share on other sites
jwbirdsong Posted June 13, 2006 Report Share Posted June 13, 2006 Inactive topic...If you still need help on this problem, contact me or one of the Moderators to re-open this up.Topic closed. Link to post Share on other sites
Recommended Posts