Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

my computer is bugged


  • Please log in to reply
6 replies to this topic

#1 kbrad

kbrad

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 17 February 2005 - 11:05 AM

Hi folks,
my desktop applications cannot be opened by double clicking (only right-clicking), porn websites are being added to my explorer favorites and the about:blank page keeps coming up on booting up. Here is my hijack log file. Any suggestions would be greatly appreciated.
Thanks.

Logfile of HijackThis v1.99.0
Scan saved at 11:00:28 AM, on 2/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\system32\atlvf.exe
C:\WINDOWS\system32\tibs5.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {410D9F00-8C94-E956-4B57-588F19CDCBA5} - C:\WINDOWS\mfcas32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKLM\..\Run: [atlvf.exe] C:\WINDOWS\system32\atlvf.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} (PHSVPNPortal.VPNPortalCtl) - http://portal.partners.org/vpn/PHSVPNPortal.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104949729691
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\ntxh.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:44 PM

Posted 18 February 2005 - 12:33 PM

Hello kbrad and welcome to the BC forums. I am presently reviewing your log and will respond back to you as quickly as I can.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:44 PM

Posted 18 February 2005 - 09:59 PM

Hello again kbrad. After reviewing your log I see a number of items that require attention. This will take a number of steps and some special removal tools. Please print these directions for your reference as we will be disconnecting from the internet later on. Now proceed with these steps in order:

Step # 1

Download these tools:About:Buster.zip
Cwshredder.exe
cwsserviceremove.zip
DelDomains.zip
Hoster.exe
Step # 2

In this step we are going to start each tool we downloaded in the previous step and check for updates but we are not going to perform any fixes or scans at this time. We just have to make sure that they will startup properly.

Unzip About:Buster to your Desktop and then double-click on the icon that was created. This should open a folder window. Double-click on the AboutBuster.exe file to start the program. If you get an error message that files are missing then download the file below and run it:MissingFileSetup.exe
When About:Buster starts click the Ok button on the 1st dialog and click the Update button on the program screen to check for updates. When done updating click the Exit button.

Now start CWShredder.exe. If you get an error that the vb runtime files are missing then go to the link below and click the Download button on the right-hand side of the screen to download VB6.0-KB290887-X86.exe:Download VB6.0-KB290887-X86.exe
Double-click on the VB6.0-KB290887-X86.exe file you just downloaded to install the vb runtime files. Try to start CWShredder.exe again.

When CWShredder starts click the Check for Update button to get any available updates. Close CWShredder.

I see that you have Ad-Aware SE installed. Start Ad-Aware SE and perform an update to get the latest definition files. Also, see the instructions here and make sure you have the settings correctly configured:Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
Close Ad-Aware.

Unzip cwsserviceremove.zip to your desktop. Do not merge it yet.

Unzip deldomains.zip to your desktop. Do not merge it yet.

Step # 3

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Because XP will not always show you hidden files and folders by default when searching, do the following:* Click Start
* Click Search
* Under More advanced search options check Search System Folders
Search hidden files and folders
Search system subfolders
[/list]This is very important. Please follow the reset of the steps exactly.

Step # 4

Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line.

Click Start and then click Run. In the Open dialog type in services.msc and click OK.

In the services window find Network Security Service. Right-click and choose Properties. On the General tab under Service Status click the Stop button to stop the service. Beside Startup Type in the dropdown menu select Disabled. Click Apply then OK. Exit the Services utility.

Step # 5

Start in Safe Mode Using the F8 method:* Restart the computer.
* As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
* Use the arrow keys to select the Safe Mode menu item.
* Press Enter.
Double click on the cwsserviceremove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry.

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\nzqgv.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {410D9F00-8C94-E956-4B57-588F19CDCBA5} - C:\WINDOWS\mfcas32.dll
O4 - HKLM\..\Run: [atlvf.exe] C:\WINDOWS\system32\atlvf.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\system32\tibs5.exe
O23 - Service: Network Security Service - Unknown - C:\WINDOWS\system32\ntxh.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Find the following files/directories and delete them (don't worry if they are already gone):C:\WINDOWS\mfcas32.dll
C:\WINDOWS\system32\atlvf.exe
C:\WINDOWS\system32\tibs5.exe
C:\WINDOWS\system32\ntxh.exe

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\<user name>\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Repeat this for each user in the Documents and Settings directory.

Finally go to Control Panel > Internet Options. On the General tab under Temporary Internet Files click Delete Files. Put a check by Delete Offline Content and click OK. Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.

Step # 6

Now run AboutBuster. Double-click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. When finished save the log file to post back with your next HijackThis log.

Step # 7

Next run CWShredder. Double-click on the cwshredder.exe then click Fix (Not "Scan only") and let it run.

Step # 8

Finally, run Ad-Aware SE. Perform a Full System Scan. Fix all of the critical objects found.

Step # 9

Almost done! If you're still with me you are doing great. Now reboot your computer normally. When you are at your desktop right-click on the deldomains.inf file and choose Install.

Next, run an online virus scan here:Trend Micro Housecall
Be sure and put a check in the box by Auto Clean before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

Step # 10

Restore (possibly) deleted files:* Check for controle.exe - Look in c:\windows\system32 for control.exe. If it is missing download this file and replace it:control_xpsp1.zip
* Check for shell.dll - Look in the C:\Windows\system32 folder to be sure you have a file named Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache folder, find shell.dll and right-click on it. Choose Copy from the menu. Open the System32 folder and right-click on an empty space in the window. Choose Paste from the menu.
* Replace HOSTS file - Run Hoster.exe, click Restore Original Hosts and then click OK. Click the X to exit the program. Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
* Check ActiveX security settings - Your ActiveX settings may have been changed by this CWS variant to allow ALL ActiveX!* In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
Download signed ActiveX controls (Prompt)
Download unsigned ActiveX controls (Disable)
Initialize and script ActiveX controls not marked as safe (Disable)
Run ActiveX controls and plug-ins (Enabled)
Script ActiveX controls marked safe for scripting (Prompt)
[/list]Step # 11

Ok. Start HijackThis, click the Scan button to perform a scan and save it as a new log. Post that log back here along with your About:Buster log as a reply to this topic and I will check them when they come in.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#4 kbrad

kbrad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 19 February 2005 - 02:14 PM

When I try to run the services.msc it just opens up for a second then disappears (in safe mode). when trying to run in normal mode, the hour glass shows up and the system says the program is not responding then eventually shuts down.
Also, the cwserviceremove is text only when unzip it, same for the deldomains. i downloaded these in safe mode with networking. is that a problem?
thanks for your help. sorry about the double posting.

#5 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:44 PM

Posted 19 February 2005 - 07:37 PM

Hey kbrad. I see that you do have 2 posts here for the same issue. SirJon and I spoke and since he has already started he will continue with helping you. Please use the post you already have started with him to complete your fix.

Just so you know, the deldomains.reg and cwsserviceremoe.inf are text files. The first is a registry file and the second is an install file.

Cheers.

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#6 kbrad

kbrad
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:08:44 PM

Posted 21 February 2005 - 09:00 PM

Hi OT-
Below is my hijack log. Let me know what you think. Thanks.

Logfile of HijackThis v1.99.0
Scan saved at 8:58:10 PM, on 2/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ltmsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\PCCGUIDE.EXE
C:\PROGRA~1\PcCtlCom.exe
C:\PROGRA~1\TmPfw.exe
C:\PROGRA~1\tmproxy.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\pccguide.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: SideStep - {3E230861-5C87-11D3-A1C6-00105A1B41B8} - C:\WINDOWS\Downloaded Program Files\SbCIe02a.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {225781F3-B27C-4182-83F1-CBF79247D36B} (PHSVPNPortal.VPNPortalCtl) - http://portal.partners.org/vpn/PHSVPNPortal.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://download.sidestep.com/get/k00719/sb02a.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1104949729691
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Trend Micro Central Control Component - Trend Micro Incorporated. - C:\PROGRA~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service - Trend Micro Incorporated. - C:\PROGRA~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall - Trend Micro Inc. - C:\PROGRA~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service - Trend Micro Inc. - C:\PROGRA~1\tmproxy.exe

#7 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:09:44 PM

Posted 22 February 2005 - 07:45 PM

Hello again kbrad. I take it you're going to stick with this post and not the post with SirJon so he is going to close that post.

As far as your log goes, it looks clean. How are things running? You did not post the AboutBuster log so I cannot verify that everything is cleaned out at this point but the signs of the previous infection are not there. The only concern that I have is that it appears that you are running two anti-virus programs, Kapersky and Trend Micro. This is not recommended and usually causes problems so I strongly recommend that you choose one of them and remove the other.

Now that your computer is clean read the article shown below and follow the suggestions for keeping safe and clean. You need to keep your OS and antivirus updated, have a good firewall (a router firewall is not enough) and a spyware blocker like SpywareBlaster and also IE-Spyad. All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Simple and easy ways to keep your computer safe and secure on the Internet

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users