Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Has Recently Becomeslow/slugish.


  • Please log in to reply
22 replies to this topic

#1 bigredlimo

bigredlimo

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 25 September 2007 - 12:01 AM

Computer has recently become slow/slugish.
Sometimes I get the following message: "stack overflow at line:51" or "stack overflow at line:78". I am not sure though if that what's causes the slugishness.
OS is Windows XP SP2. Memory is 1GB. Processor is 2.4 GHz. I have 2 hard drives, each one is divided into 2 partitions. Main hard drive is Western Digital Raptor 150 GB, with appr. 120 GB of free space.
I have done disk defrag. before I started to follow your instructions. I am using Zone Alarm as a firewall. All Windows updates are installed. I ran a virus scan using AVG free version. I cleaned all temp. files and temporary intenet files. I scan my computer with Ad-Aware and Spybot Search and Destroy. I downloaded McAfee Stinger and ran it.
The following is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:31:51 AM, on 9/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\ffpsrv.exe
C:\Program Files\Norton GoBack\GBPoll.exe
F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
I:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe
C:\WINDOWS\system32\KMDEVMONSRV.exe
C:\WINDOWS\system32\KMdevmonx.exe
I:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WFXSVC.EXE
F:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Panasonic\GIGARANGE KX-TG57 Series\DMCPWinApp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\SPAMfighter\SFAgent.exe
I:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\main\launchPd.EXE
C:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
I:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
I:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
I:\Program Files\Microsoft\Antispyware\gcasDtServ.exe
C:\WINDOWS\System32\msiexec.exe
I:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
I:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
I:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton GoBack\GBTray.exe
I:\Program Files\Panasonic\Multi-Function Station\StatusMon.exe
C:\WINDOWS\system32\RAMASST.exe
F:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
F:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.107-big.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [gcasServ] "I:\Program Files\Microsoft\Antispyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KX-TG57_59_GigaRangeApp] "C:\Program Files\Panasonic\GIGARANGE KX-TG57 Series\DMCPWinApp.exe" /S
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SPAMfighter Agent] "F:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] I:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = F:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = I:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Panasonic Multi-Function StatusMonitor.lnk = I:\Program Files\Panasonic\Multi-Function Station\StatusMon.exe
O4 - Global Startup: RAMASST.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecur...tiveXTester.ocx
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {51C98AC0-31D3-4049-B659-24389E0D94E3} (TCM3Control Control) - http://video.icellcom.co.il/TCM3Viewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125119651750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128262976195
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E93E17B-7835-47A4-B103-3818DF60A9F3}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{70DD8BC7-0462-48DD-81AE-907D2E5ECC44}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAD1FFE8-76DE-4462-83D2-D95318903362}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{E577F65D-E192-4F87-B663-A6F308C27BB6}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - I:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - C:\WINDOWS\System32\ffpsrv.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HighPoint RAID Management Service (hptsvr) - Unknown owner - I:\Program Files\HighPoint Technologies, Inc.\HighPoint RAID Management Software\service\hptsvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-Function Station Device Monitor (KMDevmonSrv) - Unknown owner - C:\WINDOWS\system32\KMDEVMONSRV.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 15430 bytes

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:48 PM

Posted 03 October 2007 - 03:00 PM

Hi bigredlimo, :blink:

If you still need help please post a fresh HijackThis log and I'll be happy to look at it for you.

Thanks for your patience. :thumbsup:

#3 bigredlimo

bigredlimo
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 12 October 2007 - 07:02 PM

Hello Falu,

Sorry, but you responded to my post the day after I left home on a business trip. I just came back. I did the whole procedure all over again again as per the instructions in the forum for posting logs, and here is the fresh log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:56:07 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\ffpsrv.exe
C:\Program Files\Norton GoBack\GBPoll.exe
F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
I:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe
C:\WINDOWS\system32\KMDEVMONSRV.exe
C:\WINDOWS\system32\KMdevmonx.exe
I:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WFXSVC.EXE
F:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Panasonic\GIGARANGE KX-TG57 Series\DMCPWinApp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
I:\Program Files\Microsoft\Antispyware\gcasDtServ.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\SPAMfighter\SFAgent.exe
I:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\main\launchPd.EXE
C:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
I:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
I:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Norton GoBack\GBTray.exe
I:\Program Files\Panasonic\Multi-Function Station\StatusMon.exe
C:\WINDOWS\system32\RAMASST.exe
F:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
F:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
I:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
I:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
I:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.107-big.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [gcasServ] "I:\Program Files\Microsoft\Antispyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KX-TG57_59_GigaRangeApp] "C:\Program Files\Panasonic\GIGARANGE KX-TG57 Series\DMCPWinApp.exe" /S
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SPAMfighter Agent] "F:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] I:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = F:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = I:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Panasonic Multi-Function StatusMonitor.lnk = I:\Program Files\Panasonic\Multi-Function Station\StatusMon.exe
O4 - Global Startup: RAMASST.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecur...tiveXTester.ocx
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {51C98AC0-31D3-4049-B659-24389E0D94E3} (TCM3Control Control) - http://video.icellcom.co.il/TCM3Viewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125119651750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128262976195
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E93E17B-7835-47A4-B103-3818DF60A9F3}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{70DD8BC7-0462-48DD-81AE-907D2E5ECC44}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAD1FFE8-76DE-4462-83D2-D95318903362}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{E577F65D-E192-4F87-B663-A6F308C27BB6}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - I:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - C:\WINDOWS\System32\ffpsrv.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HighPoint RAID Management Service (hptsvr) - Unknown owner - I:\Program Files\HighPoint Technologies, Inc.\HighPoint RAID Management Software\service\hptsvr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-Function Station Device Monitor (KMDevmonSrv) - Unknown owner - C:\WINDOWS\system32\KMDEVMONSRV.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 15614 bytes

#4 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:48 PM

Posted 15 October 2007 - 01:00 PM

Hi bigredlimo, :thumbsup:

Welcome to BleepingComputer Forums and thans again for your patience.

1. I notice from your log that you are running two different Anti-Virus programs (Norton and AVG) with Auto-protect enabled. Rather than giving you extra protection, this can actually give problems because of incompatibility issues, can even cause BSODs and decrease reliability seriously!

Therefor I would strongly advise you to only have one Anti-Virus with the Auto-Protect feature running at any one time!
Uninstall the other through the Add or Remove Programs option in Control Panel.

2. We need to disable the real-time protection of several protection programmes you have running, since they may interfere with the fixes to be made. You may enable them once you're clean, I will let you know.

> Microsoft AntiSpyware:

* Open Microsoft AntiSpyware.
* Click on Tools, then click Settings.
* In the left pane, click on Real-time Protection.
* Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
* Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
* After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
* Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

> SpywareGuard:

* Right click the running icon ofSpywareGuard, it will open the program.
* Then go to Menu, file, exit.
* Then confirm the program is closed.


3. Run HijackThis, click Scan and checkmark the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E93E17B-7835-47A4-B103-3818DF60A9F3}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{70DD8BC7-0462-48DD-81AE-907D2E5ECC44}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{CAD1FFE8-76DE-4462-83D2-D95318903362}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{E577F65D-E192-4F87-B663-A6F308C27BB6}: NameServer = 85.255.115.27,85.255.112.120
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

If you have connection problems after this:
  • Go to Control Panel. - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step .
    Double-click the Network Connections icon
    Right-click the Local Area Connection icon and select Properties.
    Hilight Internet Protocol (TCP/IP) and click the Properties button.
    Be sure Obtain DNS server address automatically is selected.
    OK your way out.
  • Go to Start > Run and type in: cmd

    Click OK.
    This will open a command prompt.
    Type or copy and paste the following line in the command window:

    ipconfig /flushdns

    Hit Enter
    Exit the command window
Do that before you restart.

4. Go to Start->Run, type CMD (if it's not already in the textbox) and click Ok.

Alternatively, Press Ctrl+Alt+Delete to bring the Task Manager. While holding down the Ctrl key, click on New Task. Once the MSDOS Window comes up, minimize the Task Manager.
At the prompt type the following and press Enter after each line:

SC Stop ".NET Connection Service"
SC Delete ".NET Connection Service

Exit

5. Please download FixWareout from one of these mirrors:
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

#5 bigredlimo

bigredlimo
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 16 October 2007 - 04:02 AM

Thanks Falu,

That's a "big job" you gave me, however, before I do all this, we need to clarify something: I don't have Norton Anti Virus; or at least I thought I don't have it, until I read your response. Here is why: for the longest time now I was advised to get rid of NIV (for reasons that I am sure you are aware of, but we won't get into them here) and replace it with another protection software (like AVG). I was reluctent to do so because I am using six other applications by Symantec, as follows: Norton Anti Spam, Norton Ghost, Norton GoBack, Partition Magic, Symantec PCanywhere, and Symantec Winfax.
I was worried that if I use "Add and Remove Programs" to remove NIV, it will remove some files that are common to the other Symantec applications, thus rendering them useless.

Finally, about two months ago, I called Symantec Tech Support and consulted with them. I was told to go ahead and use "Add and Remove Programs" in order to remove NIV, and was assured that it will not affect the functionality of the other Symantec applications. So I did, and installed the free version of AVG instead. That is the reason why I thought I didn't have NIV, until I read your recent response to me.

As a result of that, I went and checked my "Add and Remove Programs" list, and noticed that, in addition to the six applications that I mentioned above, there are three other entrees (which I am not clear where they belong to, or what they do), as follows: Norton WMI Update, LiveReg (Symantec Corporation), and LiveUpdate 2.6 (Symantec Corporation). Bear in mind that Norton Anti Spam also has a "live update" feature.

That said, and since the very first item in your instructions refers to NIV, I decided not to start with the "cleaning process" pending clarificaton of this issue, and further instructions from you.

Thanks.

#6 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:48 PM

Posted 16 October 2007 - 04:43 AM

Hi bigredlimo :thumbsup:

In your runing processes you see this: C:\Program Files\Common Files\Symantec Shared\ccApp.exe

and in your list of start up programmes: O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

The file ccApp.exe refers to Norton Antivirus.

If you checked the programmes installed on your computer and Norton AV is gone than this is probably a left over and we'll look after that later.

So continue with the instructions (step 2) please.

#7 bigredlimo

bigredlimo
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 17 October 2007 - 01:20 AM

Hi Falu,

As the saying goes, nobody promised a rose garden....

I sat down to start the process as per your instructions, and I ran into some snugs.

As to step 1, you instructed me to skip it for the time being.

As to step 2, I disabled SpywareGuard. However, when I tried to open Microsoft AntiSpyware, It opened a window with the following message: "This version of Microsoft AntiSpyware has expired as of July 31, 2006. The Microsoft Internal Beta version of Microsoft AntiSpyware has expired. Please contact Microsoft for an updated version". I clicked "OK", which closed that message window, and the application would not open. Therefore, I unstalled Microsoft AntiSpyware (I downloaded Windows Defender instead, but did not install it yet).

As to step 3, you asked me to run HijackThis, scan, and checkmark seven entries. I was able to find five of them, but could not find the other two, as follows (I gave them numbers so that it would be easier to indicate which ones I found and which ones not):

1. R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
2. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
3. O17 - HKLM\System\CCS\Services\Tcpip\..\{3E93E17B-7835-47A4-B103-3818DF60A9F3}:
NameServer = 85.255.115.27,85.255.112.120
4. O17 - HKLM\System\CCS\Services\Tcpip\..\{70DD8BC7-0462-48DD-81AE-907D2E5ECC44}:
NameServer = 85.255.115.27,85.255.112.120
5. O17 - HKLM\System\CCS\Services\Tcpip\..\{CAD1FFE8-76DE-4462-83D2-D95318903362}:
NameServer = 85.255.115.27,85.255.112.120
6. O17 - HKLM\System\CCS\Services\Tcpip\..\{E577F65D-E192-4F87-B663-A6F308C27BB6}:
NameServer = 85.255.115.27,85.255.112.120
7. O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner -
C:\WINDOWS\svchost.exe (file missing)

I was able to find entries 1, 2, 4, 6, and 7, but I wasn't able to find entries 3 and 5. I therefore decided not to continue, pending your instructions.

Just in case you need it, here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:17:46 AM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\ffpsrv.exe
C:\Program Files\Norton GoBack\GBPoll.exe
F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
I:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe
C:\WINDOWS\system32\KMDEVMONSRV.exe
I:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe
C:\WINDOWS\system32\KMdevmonx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WFXSVC.EXE
F:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Panasonic\GIGARANGE KX-TG57 Series\DMCPWinApp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\SPAMfighter\SFAgent.exe
I:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\main\launchPd.EXE
C:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
I:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
I:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Norton GoBack\GBTray.exe
I:\Program Files\Panasonic\Multi-Function Station\StatusMon.exe
C:\WINDOWS\system32\RAMASST.exe
F:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
F:\PROGRA~1\Webshots\webshots.scr
I:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
I:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
I:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.107-big.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KX-TG57_59_GigaRangeApp] "C:\Program Files\Panasonic\GIGARANGE KX-TG57 Series\DMCPWinApp.exe" /S
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SPAMfighter Agent] "F:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] I:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = F:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = I:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Panasonic Multi-Function StatusMonitor.lnk = I:\Program Files\Panasonic\Multi-Function Station\StatusMon.exe
O4 - Global Startup: RAMASST.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecur...tiveXTester.ocx
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {51C98AC0-31D3-4049-B659-24389E0D94E3} (TCM3Control Control) - http://video.icellcom.co.il/TCM3Viewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125119651750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128262976195
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E93E17B-7835-47A4-B103-3818DF60A9F3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{70DD8BC7-0462-48DD-81AE-907D2E5ECC44}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{E577F65D-E192-4F87-B663-A6F308C27BB6}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - I:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - C:\WINDOWS\System32\ffpsrv.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HighPoint RAID Management Service (hptsvr) - Unknown owner - I:\Program Files\HighPoint Technologies, Inc.\HighPoint RAID Management Software\service\hptsvr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-Function Station Device Monitor (KMDevmonSrv) - Unknown owner - C:\WINDOWS\system32\KMDEVMONSRV.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 15266 bytes

#8 bigredlimo

bigredlimo
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 17 October 2007 - 01:38 AM

Falu,

Sorry, I forgot to mention also that yesterday my internet service provider had problems, and when the service was restored I had to unplug the power from the cable modem for few seconds to let it re-set. Is it possible that this changed the entries? Just thought I should mention that.

#9 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:48 PM

Posted 17 October 2007 - 06:57 AM

Hi bigredlimo, :blink:

Please continue with the instructions. :thumbsup:

#10 bigredlimo

bigredlimo
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 17 October 2007 - 09:03 AM

Hi Falu,

I continued the process as you asked me to. The following are the FixWareout report and the new HijackThis log.

Please note: in step 3 of your instructions I only checked the 5 entries that I was able to find, and then clicked the Fix Checked button in HijackThis.

Username "hillel" - 10/17/2007 9:42:28 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="kdanj.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3E93E17B-7835-47A4-B103-3818DF60A9F3}
"DhcpNameServer"="85.255.115.27,85.255.112.120" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{70DD8BC7-0462-48DD-81AE-907D2E5ECC44}
"DhcpNameServer"="85.255.115.27,85.255.112.120" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{E577F65D-E192-4F87-B663-A6F308C27BB6}
"DhcpNameServer"="85.255.115.27,85.255.112.120" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTStartup"="C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE /run"
"WinFaxAppPortStarter"="wfxsnt40.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"ScriptSentry"="C:\\Program Files\\Script Sentry\\ScriptSentry.exe /check"
"POINTER"="point32.exe"
"Onelive"=""
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_02\\bin\\jusched.exe\""
"KX-TG57_59_GigaRangeApp"="\"C:\\Program Files\\Panasonic\\GIGARANGE KX-TG57 Series\\DMCPWinApp.exe\" /S"
"Acronis Scheduler2 Service"="\"C:\\Program Files\\Common Files\\Acronis\\Schedule2\\schedhlp.exe\""
"TrueImageMonitor.exe"="C:\\Program Files\\Acronis\\TrueImageHome\\TrueImageMonitor.exe"
"AcronisTimounterMonitor"="C:\\Program Files\\Acronis\\TrueImageHome\\TimounterMonitor.exe"
"HP Software Update"="C:\\Program Files\\Hp\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"I:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SPAMfighter Agent"="\"F:\\Program Files\\SPAMfighter\\SFAgent.exe\" update delay 60"
"iTunesHelper"="\"I:\\Program Files\\iTunes\\iTunesHelper.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PowerBar"=""
"ATI Launchpad"="\"C:\\Program Files\\ATI Multimedia\\main\\launchPd.EXE\""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Gadwin PrintScreen 3.5"="I:\\Program Files\\Gadwin Systems\\PrintScreen\\PrintScreen.exe /nosplash"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:00:33 AM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\ffpsrv.exe
C:\Program Files\Norton GoBack\GBPoll.exe
F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
I:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe
C:\WINDOWS\system32\KMDEVMONSRV.exe
I:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe
C:\WINDOWS\system32\KMdevmonx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WFXSVC.EXE
F:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Panasonic\GIGARANGE KX-TG57 Series\DMCPWinApp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\Program Files\SPAMfighter\SFAgent.exe
I:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Multimedia\main\launchPd.EXE
C:\WINDOWS\system32\ctfmon.exe
I:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\WINDOWS\System32\msiexec.exe
I:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
I:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\Program Files\Norton GoBack\GBTray.exe
I:\Program Files\Panasonic\Multi-Function Station\StatusMon.exe
C:\WINDOWS\system32\RAMASST.exe
F:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
F:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\SpywareGuard\sgbhp.exe
I:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
I:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
I:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.107-big.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [KX-TG57_59_GigaRangeApp] "C:\Program Files\Panasonic\GIGARANGE KX-TG57 Series\DMCPWinApp.exe" /S
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SPAMfighter Agent] "F:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] I:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = F:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = I:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Panasonic Multi-Function StatusMonitor.lnk = I:\Program Files\Panasonic\Multi-Function Station\StatusMon.exe
O4 - Global Startup: RAMASST.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecur...tiveXTester.ocx
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {51C98AC0-31D3-4049-B659-24389E0D94E3} (TCM3Control Control) - http://video.icellcom.co.il/TCM3Viewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125119651750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128262976195
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E93E17B-7835-47A4-B103-3818DF60A9F3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - I:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - C:\WINDOWS\System32\ffpsrv.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HighPoint RAID Management Service (hptsvr) - Unknown owner - I:\Program Files\HighPoint Technologies, Inc.\HighPoint RAID Management Software\service\hptsvr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-Function Station Device Monitor (KMDevmonSrv) - Unknown owner - C:\WINDOWS\system32\KMDEVMONSRV.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 14825 bytes

#11 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:48 PM

Posted 17 October 2007 - 03:18 PM

Hi bigredlimo,

You did very well.

Please note: in step 3 of your instructions I only checked the 5 entries that I was able to find, and then clicked the Fix Checked button in HijackThis.


It must be the quality of the way you checked them, since you only checked three of them and all five are gone.

Logs look good so we're getting there.

1. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6u3). Older versions have vulnerabilities that malware can use to infect your system. Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:

    Java Runtime Environment (JRE) 6u3
2. Run the F-Secure Online Scanner
Note: This Scanner is for Internet Explorer Only!
Follow the Instruction here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes, the scan will begin automatically.
The scan will take some time to finish, so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Please post the F-Secure report along with a fresh HijackThis log and let me know how things are running.

#12 bigredlimo

bigredlimo
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 18 October 2007 - 03:21 AM

Hi Falu,

I followed your further instructions. Here are the F-Secure report and the fresh HijackedThis log.
PC is running much better, much more responsive. Slow on boot, but this is probably because of too many processes on start up, isn't it?

Don't forget we have to re-visit the ccApp.exe file issue.

Scanning Report
Thursday, October 18, 2007 02:33:06 - 04:04:48
Computer name: P4
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ F:\ G:\ I:\


--------------------------------------------------------------------------------

Result: 13 malware found
HTML/IFrame@expl (virus)
C:\DOCUMENTS AND SETTINGS\HILLEL\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\RY4VFH0T\EXTRABLOW[1].HTM (Submitted)
HTML/VMLFill (virus)
C:\DOCUMENTS AND SETTINGS\HILLEL\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\4DIZ4LUB\EXP4[1].HTM (Renamed & Submitted)
JS/IFrame (virus)
C:\DOCUMENTS AND SETTINGS\HILLEL\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\OH2R8XAN\151[1].HTM (Submitted)
C:\DOCUMENTS AND SETTINGS\HILLEL\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\9N9E0H94\151[1].HTM (Submitted)
JS/Psyme.CA (virus)
C:\DOCUMENTS AND SETTINGS\HILLEL\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\6Z8NTQB6\NEW413[1].HTM (Renamed & Submitted)
JS/Psyme.CJ (virus)
C:\DOCUMENTS AND SETTINGS\HILLEL\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\IM0LZ4W1\EXP2[1].HTM (Renamed & Submitted)
Possible Browser Hijack attempt (spyware)
System (Disinfected)
Smalldoor.GRT (virus)
C:\PROGRAM FILES\OWCSTP16.DLL (Submitted)
Trojan-Downloader.JS.Agent.ab (virus)
C:\DOCUMENTS AND SETTINGS\HILLEL\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\U0PB34RY\ADV413[1].HTM (Renamed & Submitted)
Trojan-Downloader.JS.Agent.bx (virus)
C:\DOCUMENTS AND SETTINGS\HILLEL\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\OLQZKXM7\EXP2[1].HTM (Renamed & Submitted)
Trojan-Downloader.JS.Agent.cd (virus)
C:\DOCUMENTS AND SETTINGS\HILLEL\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\OLQZKXM7\EXP1[1].HTM (Renamed & Submitted)
C:\DOCUMENTS AND SETTINGS\HILLEL\LOCAL SETTINGS\TEMP\TEMPORARY INTERNET FILES\CONTENT.IE5\7SMV387J\EXP1[1].HTM (Renamed & Submitted)
Windows (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 55842
System: 7652
Not scanned: 6
Actions:
Disinfected: 2
Renamed: 7
Deleted: 0
None: 4
Submitted: 11
Files not scanned:
C:\GOBACKIO.BIN
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\FDCDNT.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSYS.DLL
F:\GOBACKIO.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-17
F-Secure AVP: 7.0.171, 2007-10-18
F-Secure Orion: 1.2.37, 2007-10-18
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0598-150-72
F-Secure Pegasus: 1.19.0, 2007-09-11
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:19:33 AM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Panasonic\GIGARANGE KX-TG57 Series\DMCPWinApp.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
F:\Program Files\SPAMfighter\SFAgent.exe
F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
I:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Multimedia\main\launchPd.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
I:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
I:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
C:\WINDOWS\System32\DVDRAMSV.exe
C:\WINDOWS\System32\ffpsrv.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\Norton GoBack\GBPoll.exe
I:\Program Files\Panasonic\Multi-Function Station\StatusMon.exe
F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\KMdevmonx.exe
I:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\hptsvr.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\KMDEVMONSRV.exe
I:\Program Files\HighPoint Technologies, Inc\HighPoint RAID Management Software\service\drvinst.exe
F:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\SpywareGuard\sgmain.exe
F:\PROGRA~1\Webshots\webshots.scr
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\WFXSVC.EXE
F:\Program Files\Symantec\WinFax\WFXMOD32.EXE
I:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
I:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
I:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.il/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar_en_2.0.107-big.dll
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [KX-TG57_59_GigaRangeApp] "C:\Program Files\Panasonic\GIGARANGE KX-TG57 Series\DMCPWinApp.exe" /S
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SPAMfighter Agent] "F:\Program Files\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchPd.EXE"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 3.5] I:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Webshots.lnk = F:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet 7100 series) - 1.lnk = I:\Program Files\Hewlett-Packard\AiO\hp officejet 7100 series\Bin\hpogrp07.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: Panasonic Multi-Function StatusMonitor.lnk = I:\Program Files\Panasonic\Multi-Function Station\StatusMon.exe
O4 - Global Startup: RAMASST.lnk = ?
O4 - Global Startup: ZoneAlarm Pro.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
O8 - Extra context menu item: Download Video - http://www.viloader.net/addon.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\Free Surfer\FS20.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4169B5A0-9048-11D6-BDFF-00C0F024AF20} (ActiveXTester.TesterControl) - http://www.jasons-toolbox.com/BrowserSecur...tiveXTester.ocx
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {51C98AC0-31D3-4049-B659-24389E0D94E3} (TCM3Control Control) - http://video.icellcom.co.il/TCM3Viewer.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125119651750
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1128262976195
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F59AB0C4-3443-4551-A78F-C101F9DE0215} (LauncherV1 Class) - http://irc.tapuz.co.il/BlogTVU/launcher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E93E17B-7835-47A4-B103-3818DF60A9F3}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{3950FB4C-F0B0-4B52-B1A0-40A6A4D794DF}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - F:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - I:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DVD-RAM_Service - Matsubleepa Electric Industrial Co., Ltd. - C:\WINDOWS\System32\DVDRAMSV.exe
O23 - Service: File and Folder Protector (FileAndFolderProtector_S) - Unknown owner - C:\WINDOWS\System32\ffpsrv.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: GhostStartService - Symantec Corporation - F:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: HighPoint RAID Management Service (hptsvr) - Unknown owner - I:\Program Files\HighPoint Technologies, Inc.\HighPoint RAID Management Software\service\hptsvr.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Multi-Function Station Device Monitor (KMDevmonSrv) - Unknown owner - C:\WINDOWS\system32\KMDEVMONSRV.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - C:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

--
End of file - 14867 bytes

#13 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:48 PM

Posted 18 October 2007 - 03:56 PM

Hi bigredlimo, :thumbsup:

1.

PC is running much better, much more responsive.


Very good to hear.

2.

Slow on boot, but this is probably because of too many processes on start up, isn't it?


There are some tools you can use to manage your startup locations such as:

Sysinternal's Autoruns
StartUpMonitor
Startup Manager

Another possibility is:

Go to start > run and type: msconfig
Select the tab: Startup

There you will see all the programs starting up with windows.
Some are not needed and can also cause a system slowdown. Don't disable them all because some are needed! if you're not sure check them at BleepingComputer and castlecops.

You can always access these programs by going to your startmenu > all programs or start them manually via the Programs Folder where they are present.So you can always enable them afterwards again.

Also look at Help! My computer is slow!

3. Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

4.

Don't forget we have to re-visit the ccApp.exe file issue.


ccApp.exe demonstrates that you've Norton Antivirus installed and running, so I suggest you use Symantec's removal tool:

How to uninstall Norton AntiVirus 2003 or Norton AntiVirus 2003 Professional Edition

Please post a fresh HijackThis log for review.

#14 bigredlimo

bigredlimo
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 18 October 2007 - 06:39 PM

Thanks Falu,

One queastion though before I do step #4 in your recent instructions. I did a search for ccApp.exe on my PC (Start then Search). The search found three items:
1. C:\WINDOWS\Prefetch
2. C:\Programs Files\Common Files\Symantec Shared
3. F:\Documents and Settings\hillel\Local Settings\Temp\NAS\Support\ccCommon\ccCcommon\
CommoFi\SYMSHARE

I would assume that NAS (in the third item) stands for Norton AntiSpam. If so, my concern is that ccApp.exe is shared by both, NAV and NAS (or at least was. before I uninstalled NAV), and therefore is needed for the operation of NAS.

I will wait to your response before I execute step #4.

#15 bigredlimo

bigredlimo
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 18 October 2007 - 08:02 PM

Further to my last message Falu,

With regard to step #4 in your last message, I opened the link for the Symantec Removal Tool, and here is what it says in the very beginning:

"The Norton Removal Tool uninstalls all Norton 2006/2005/2004/2003 products from your computer".

As I previously told you, I have 6 or 7 other Symantec products.

In the meantime, I disabled the following 2 files from the startup menue (using msconfig):

SNDMon.exe
ccApp.exe

Apparently the first one also has to do with NAV. We'll see if it will cause problems. I can always go back and enable them.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users