Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT file - HELP


  • This topic is locked This topic is locked
14 replies to this topic

#1 SOLANGE

SOLANGE

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 18 May 2005 - 04:38 PM

My Norton AntiVirus seems to be corrupted ....cannot enable AutoProtect.
I have scanned my system with 3 excellent online antivirus/antispyware programs and although they removed several viruses and spyware, none of them have removed this search bar, which hijacks my browser. Do you think it is responsible for disabling my antivirus program? And is 'mywebsearch' associated with lop.com? Is 'mywebsearch' the same as 'websearch'? Because there is a posting here which gives instructions on how to remove the websearch toolbar, which I could follow. Any help would be much appreciated!


Logfile of HijackThis v1.99.1
Scan saved at 2:18:45 PM, on 18/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2

(6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton SystemWorks\Norton

AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton

Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common

Files\Real\Update_OB\realsched.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Lisa

Spencer\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet

Explorer\Main,Search Bar =

http://www.otlmwpkzsctwiyfteijxsryl.com/7Pt9yrjgV

3RC3mBdBeW8sWHsE2IzIrxRyFEpXhLMWGdavJyTD

a8ILh0wYwzIoyPw.html
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

www.mytelus.com
R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Search Bar = www.google.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Start Page = www.praise1065.com
R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

www.google.com
R1 - HKCU\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,SearchAssistant =

www.google.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet

Explorer\Main,Local Page =

www.windowsupdate.com
R0 - HKLM\Software\Microsoft\Internet

Explorer\Main,Local Page =

www.windowsupdate.com
R1 -

HKCU\Software\Microsoft\Windows\CurrentVersion\

Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class -

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class -

{BDF3E430-B101-42AD-A544-FADC6B084872} -

C:\Program Files\Norton SystemWorks\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -

{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton SystemWorks\Norton

AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program

Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program

Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [2time]

C:\DOCUME~1\LISASP~1\APPLIC~1\LIESGR~1\W

ebRefHide.exe
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program

Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ -

{6224f700-cba3-4071-b251-47cb894244cd} -

C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ -

{6224f700-cba3-4071-b251-47cb894244cd} -

C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger ™ -

{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} -

C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates -

{6685509E-B47B-4f47-8E16-9A5F3A62F683} -

file://C:\Program

Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350

a.htm (file missing) (HKCU)
O9 - Extra button: Support -

{BFE619B4-0BD3-444C-89F1-54E5D405242D} -

C:\Program Files\Internet

Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .MTD: C:\Program Files\Internet

Explorer\Plugins\npmusicn.dll
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF:

START_PAGE_URL=http://store.presario.net/script

s/redirectors/presario/storeredir2.dll?s=consumerfa

v&c=3c01&lc=1009
O16 - DPF: Animal Ark by pogo -

http://play07.pogo.com/applet/animal/animal-ob-as

sets.cab
O16 - DPF: Backgammon by pogo -

http://gammon.pogo.com/applet/backgammon/bac

kgammon-ob-assets.cab
O16 - DPF: Canasta by pogo -

http://canasta.pogo.com/applet-5.9.3.29/canasta/ca

nasta-ob-assets.cab
O16 - DPF: Dice Derby by pogo -

http://checkeredflag.pogo.com/applet-6.0.0.25/che

ckeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Dominoes by pogo -

http://domino01.pogo.com/applet/domino/domino-

ob-assets.cab
O16 - DPF: Euchre by pogo -

http://euchre.pogo.com/applet-5.9.5.37/euchre/euc

hre-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo -

http://solitaire.pogo.com/applet-5.8.5.28/solitaire2/

solitaire2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo -

http://superbingo.pogo.com/applet-5.8.4.18/super

bingo/superbingo-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo -

http://pool29.pogo.com/applet/pool/pool-ob-assets

.cab
O16 - DPF: High Stakes Pool by pogo -

http://pool2.pogo.com/applet-5.9.5.30/pool2/pool-

ob-assets.cab
O16 - DPF: Jungle Gin by pogo -

http://gin.pogo.com/applet-5.9.5.37/gin/gin-ob-ass

ets.cab
O16 - DPF: Keno by pogo -

http://keno.pogo.com/applet-5.9.5.30/keno/keno-o

b-assets.cab
O16 - DPF: Mah Jong Garden by pogo -

http://game4.pogo.com/applet-5.9.5.30/mahjong/

mahjong-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo -

http://waterwheel.pogo.com/applet-5.9.5.37/water

wheel/waterwheel-ob-assets.cab
O16 - DPF: Phlinx by pogo -

http://flinger.pogo.com/applet-5.9.1.28/flinger/flin

ger-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo -

http://solitaire07.pogo.com/applet-5.8.3.26/pirates

gold/piratesgold-ob-assets.cab
O16 - DPF: Pop Fu by pogo -

http://popfu.pogo.com/applet/popfu/popfu-ob-asse

ts.cab
O16 - DPF: Poppit TM by pogo -

http://poppit.pogo.com/applet-5.9.5.37/poppit/pop

pit-ob-assets.cab
O16 - DPF: Squelchies by pogo -

http://squelchies.pogo.com/applet/squelchies/squel

chies-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo -

http://sweettooth.pogo.com/applet-5.9.0.18/sweett

ooth/sweettooth-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo -

http://holdem2.pogo.com/applet-5.9.4.30/holdem/

holdem-ob-assets.cab
O16 - DPF: Top Down Baseball Challenge by pogo -

http://topdown2.pogo.com/applet-5.8.3.26/topdow

n2/topdown2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo -

http://game4.pogo.com/applet-5.9.5.30/peaks/pea

ks-ob-assets.cab
O16 - DPF: Tumble Bees by pogo -

http://jumbee.pogo.com/applet-5.9.4.30/jumbee/ju

mbee-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo -

http://turbo15.pogo.com/applet/turbo21/turbo21-o

b-assets.cab
O16 - DPF: Video Poker by pogo -

http://vpoker.pogo.com/applet-5.9.5.37/videopoker

2/videopoker-ob-assets.cab
O16 - DPF: Word Riot by pogo -

http://wordriot.pogo.com/applet/wordriot/wordriot-

ob-assets.cab
O16 - DPF: Word Whomp by pogo -

http://whomp.pogo.com/applet-5.9.0.18/wordwho

mp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo -

http://whackdown.pogo.com/applet-5.8.6.20/whac

kdown/whackdown-ob-assets.cab
O16 - DPF: WordJong by pogo -

http://wordjong.pogo.com/applet-5.9.4.22/wordjo

ng/wordjong-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo -

http://klondike.pogo.com/applet-5.9.1.28/worldclas

s/worldclass-ob-assets.cab
O16 - DPF:

{00B71CFB-6864-4346-A978-C0A14556272C}

(Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.c

ab
O16 - DPF:

{04E214E5-63AF-4236-83C6-A7ADCBF9BD02}

(HouseCall Control) -

http://housecall60.trendmicro.com/housecall/xscan

60.cab
O16 - DPF:

{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}

(CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kavweb

scan.cab
O16 - DPF:

{17492023-C23A-453E-A040-C7C580BBF700}

(Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=36467&clcid

=0x409
O16 - DPF:

{2917297F-F02B-4B9D-81DF-494B6333150B}

(Minesweeper Flags Class) -

http://messenger.zone.msn.com/binary/MineSweep

er.cab28578.cab
O16 - DPF:

{29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} -

http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF:

{2BC66F54-93A8-11D3-BEB6-00105AA9B6AE}

(Symantec AntiVirus scanner) -

http://security2.norton.com/SSC/SharedContent/vc/

bin/AvSniff.cab
O16 - DPF:

{41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/20030530/qti

nstall.info.apple.com/bonnie/us/win/QuickTimeInst

aller.exe
O16 - DPF:

{53406295-12AB-4F49-824A-C5EAD19365DE}

(CHSInstaller Class) -

http://www.compaq.com/athome/support/PCHInsta

llTrust01.cab
O16 - DPF:

{56C9629A-C33F-11D3-BBFB-00105A1FAD68} -

http://www.eyetide.com/download//223/Eyetide%2

0Installer.cab
O16 - DPF:

{5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1}

(CSND_AX.ctlCSND_AX) -

http://www3.compaq.com/support/sndetect/CSND_

AX.CAB
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://v5.windowsupdate.microsoft.com/v5consum

er/V5Controls/en/x86/client/wuweb_site.cab?10950

36943015
O16 - DPF:

{74D05D43-3236-11D4-BDCD-00C04F9A3B61}

(HouseCall Control) -

http://a840.g.akamai.net/7/840/537/2004061001/h

ousecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF:

{77E32299-629F-43C6-AB77-6A1E6D7663F6}

(Groove Control) -

http://www.nick.com/common/groove/gx/GrooveA

X25.cab
O16 - DPF:

{7A32634B-029C-4836-A023-528983982A49} -

http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF:

{8D83D301-E841-11D1-B155-00600823BCF9}

(WebLine Browser Integration Classes) -

http://live.landsend.com/webline/applets/msie40x.c

ab
O16 - DPF:

{8E0D4DE5-3180-4024-A327-4DFAD1796A8D}

(MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerS

tatsClient.cab
O16 - DPF:

{91433D86-9F27-402C-B5E3-DEBDD122C339} -

http://www.netvenda.com/sites/games-intl/ca/game

s6.cab
O16 - DPF:

{AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} -

http://www.wildtangent.com/install/wdriver/3rdPart

yContent/dnastudios/harrypotter/wtinst.cab
O16 - DPF:

{C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE}

(Symantec RuFSI Registry Information Class) -

http://security2.norton.com/SSC/SharedContent/sc/

bin/cabsa.cab
O16 - DPF:

{DBB2DE32-61F1-4F7F-BEB8-A37F5BC24EE2}

(MozillaPluginHostCtrl Class) -

http://www.musicnotes.com/download/adaptor.cab
O16 - DPF:

{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}

(PopCapLoader Object) -

http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF:

{E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2}

(DetectMN) -

http://www.musicnotes.com/download/npmusicn.c

ab
O16 - DPF:

{E87A6788-1D0F-4444-8898-1D25829B6755} -

http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF:

{F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6}

(MSN Chat Control 4.5) -

http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF:

{F6BF0D00-0B2A-4A75-BF7B-F385591623AF}

(Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireSh

owdown.cab28578.cab
O23 - Service: Symantec Event Manager (ccEvtMgr)

- Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation

Service (ccPwdSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Crypkey License - Kenonic Controls

Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Norton AntiVirus Auto Protect

Service (navapsvc) - Symantec Corporation -

C:\Program Files\Norton SystemWorks\Norton

AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection

(NProtectService) - Symantec Corporation -

C:\Program Files\Norton SystemWorks\Norton

Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service

(NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) -

Unknown owner -

C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) -

Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~

1\SBServ.exe
O23 - Service: Symantec Network Drivers Service

(SNDSrvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec

Corporation -

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) -

Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security

Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:46 AM

Posted 18 May 2005 - 11:57 PM

Hello SOLANGE and welcome to the BC forums. There seems to be a formatting problem with your log. Try posting a new log by doing the following:

Start HijackThis and click the Do a system scan and save a log button to perform a scan and create a log file. When the scan is complete, Notepad will open up with the log file in it. While in Notepad, press Ctrl-A to select all text and then Ctrl-C to copy the text to the clipboard.

POST the log in this thread using the Add Reply button. Click in the data-entry window and press Ctrl-V to paste the log into the window. Add any other comments which you believe might be helpful in our analysis. and click the Add Reply button.

I will review your log when it comes in.


DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL I CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 SOLANGE

SOLANGE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 19 May 2005 - 11:11 AM

Logfile of HijackThis v1.99.1
Scan saved at 9:09:22 AM, on 19/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lisa Spencer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vdyminwhpjewxblfev.com/7Pt9yrjg...0wYwzIoyPw.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.praise1065.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.mytelus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.praise1065.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.windowsupdate.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.windowsupdate.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [2time] C:\DOCUME~1\LISASP~1\APPLIC~1\LIESGR~1\WebRefHide.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: Support - {BFE619B4-0BD3-444C-89F1-54E5D405242D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=1009
O16 - DPF: Animal Ark by pogo - http://play07.pogo.com/applet/animal/animal-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet/backgammon/b...n-ob-assets.cab
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.29/ca...a-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.0...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://domino01.pogo.com/applet/domino/domino-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.9.5.37/euc...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.8.5.28/...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18...o-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo - http://pool29.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.9.5.30/pool...l-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.5.37/gin/gin-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-5.9.5.30/keno/keno-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-5.9.5.30/mahj...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.9.5.37...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.1.28/fl...r-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire07.pogo.com/applet-5.8.3.2...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.5.37/pop...t-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-5.9.0.18...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.4.30/ho...m-ob-assets.cab
O16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.3.26/t...2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-5.9.5.30/peak...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.9.4.30/jum...e-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo15.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-5.9.5.37/vid...r-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/w...t-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.9.0.18/word...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.6.20/...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-5.9.4.22/w...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.9.1.28/w...s-ob-assets.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security2.norton.com/SSC/SharedCont...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} (CHSInstaller Class) - http://www.compaq.com/athome/support/PCHInstallTrust01.cab
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//223/Eyetide%20Installer.cab
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://www3.compaq.com/support/sndetect/CSND_AX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095036943015
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/applets/msie40x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/ca/games6.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver...tter/wtinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {DBB2DE32-61F1-4F7F-BEB8-A37F5BC24EE2} (MozillaPluginHostCtrl Class) - http://www.musicnotes.com/download/adaptor.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:46 AM

Posted 19 May 2005 - 04:55 PM

Hi SOLANGE. Thanks for the new log. After reviewing it I see a few items that require our attention. Please print these directions and then proceed with the following steps in order.

Step #1

Download CCleaner and install it but do not run it yet.

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Microsoft AntiSpyware.
  • Click on Options>Settings.
  • In the left pane, click on Real-time Protection.
  • Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
  • Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
  • After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
  • Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Step #2

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vdyminwhpjewxblfev.com/7Pt9yrjg...0wYwzIoyPw.html
O4 - HKCU\..\Run: [2time] C:\DOCUME~1\LISASP~1\APPLIC~1\LIESGR~1\WebRefHide.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {56C9629A-C33F-11D3-BBFB-00105A1FAD68} - http://www.eyetide.com/download//223/Eyetide%20Installer.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda.com/sites/games-intl/ca/games6.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/wdriver...tter/wtinst.cab

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #3

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Documents and Settings\Lisa Spencer\APPLICATION DATA\LIESGR~1\WebRefHide.exe (look for a folder whose name begins with LIESGR)
Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.

If needed, start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
If you rebooted into Safe Mode just stay in Safe Mode until I tell you to reboot normally.

Step #4

Start CCleaner and click on the Run Cleaner button in the lower right-hand corner. When it is finished close CCleaner.

Step #5

Reboot normally and run at least 2 of the following on-line virus scans:Trend Micro Housecall
BitDefender On-Line Virus Scan
Panda ActiveScan
eTrust Antivirus Web Scanner
Make sure that you choose "fix" or "clean".

Step #6

AdAware SE

Download, install, update, configure and run a scan with Ad-aware SE:
  • Download and Install AdAware SE Personal, keeping the default options. However, some of the settings will need to be changed before your first scan.
  • Close ALL windows except Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Save the log file when it asks and then click ‘Finish’
  • REBOOT to complete the removal of what Ad-Aware SE found.
Step #7

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 SOLANGE

SOLANGE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 20 May 2005 - 02:43 PM

OldTimer, thank you......Performed all recommended steps and didn't need to reboot in Safe Mode. Under Step 2, removal of HJT log items - The first item HKCU/Software/Microsoft/Internet Explorer/Main,Search Bar= had a completely different www.address than the one in my initial HJT log but it appeared to be a similar hodgepodge of letters so I assumed it was the same entry, and checked it. That search bar address changes every time I do a scan!

After I ran the fix, I noticed my AntiSpyware had become active again, although I had shut it down before running HJT. I shut it down again.

Step 3 - when I searched for the file C:/Documents and Settings/Lisa Spencer/APPLICATION DATA/LIESGR~1/WebRefHide.EXE, it was there and I deleted the whole file and its contents. Something immediately caught the corner of my eye and a 'desktop.ini configuration settings' file appeared in that folder. That same 'desktop.ini' file appeared on my desktop a few days ago when I began attempting to delete my LOP malware. This may be completely unrelated, but I thought I'd mention it.

Upon reboot, I noticed a 'backups' folder appeared on my desktop. I looked inside and there are 8 files, 2 of which have .inf extensions. Again, this may be a normal process but I want to relate everything that happened.

Before rebooting I decided to empty my Recycle Bin. I have Norton Securities installed on my computer and it contains a Norton Protected Recycle Bin.....I have never known what to do with that, but it says it contains 1500 protected files. Should I attempt to delete these? My Norton is not working properly so it must be infected with something.

Step 5 - No viruses found (used Trend and downloaded BitDefender)

Step 6 - AdAware found (as always!) a LOP process which it claims to have stopped/removed. This seems to be my most tenacious malware. It changes its file name every time it is detected. Here is the quarantine file:

LOP
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : c:\docume~1\lisasp~1\locals~1\temp\ykgcbfyh.exe
obj[1]=Regkey : software\microsoft\downloadmanager

*Interestingly, as I was retrieving the quarantine file from my Ad-Aware folder, I noticed a couple of suspicious looking files. 'UNWISE.EXE' and 'unregaaw.exe' Do these belong here? Also, underneath my Ad-Aware folder there was an empty folder named LIESGRAMSOFT, which was the file I removed in step 3.

Rebooted normally.

Out of interest, I located c:\docume~1\lisasp~1\locals~1\temp\ykgcbfyh.exe in my temp folder, and it had already changed its name! Upon reboot, it changed to 'fvowdpxq.exe' (the file was created at exactly the same time as my reboot). It is 239 KB in size and when I try to delete it, and error box says 'cannot delete - access is denied - check to see if file is write-protected or in use'.

I have done some research on this LOP malware and it appears to be extremely difficult to remove.....apparently it installs along with Messenger Plus and Microsoft's 'party line' is that it is NOT malware but a legitimate searchbar program, with an unfortunate inability to be removed from anyone's system. HAHAHA

Well, here is my new HJT log - please advise if I should disable any antivirus or antispyware programs before running HJT? This time I did not disable anything.

Thanks so much for your help!



Logfile of HijackThis v1.99.1
Scan saved at 11:57:42 AM, on 20/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Lisa Spencer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://web.lgzrnaqcbn.com/7Pt9yrjgV3RC3mBd...0wYwzIoyPw.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.praise1065.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.mytelus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.praise1065.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.windowsupdate.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.windowsupdate.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
O4 - HKCU\..\Run: [2time] C:\DOCUME~1\LISASP~1\APPLIC~1\LIESGR~1\WebRefHide.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {BFE619B4-0BD3-444C-89F1-54E5D405242D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=1009
O16 - DPF: Animal Ark by pogo - http://play07.pogo.com/applet/animal/animal-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet/backgammon/b...n-ob-assets.cab
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.29/ca...a-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.0...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://domino01.pogo.com/applet/domino/domino-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.9.5.37/euc...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.8.5.28/...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18...o-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo - http://pool29.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.9.5.30/pool...l-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.5.37/gin/gin-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-5.9.5.30/keno/keno-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-5.9.5.30/mahj...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.9.5.37...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.1.28/fl...r-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire07.pogo.com/applet-5.8.3.2...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.5.37/pop...t-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-5.9.0.18...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.4.30/ho...m-ob-assets.cab
O16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.3.26/t...2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-5.9.5.30/peak...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.9.4.30/jum...e-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo15.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-5.9.5.37/vid...r-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/w...t-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.9.0.18/word...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.6.20/...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-5.9.4.22/w...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.9.1.28/w...s-ob-assets.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} (CHSInstaller Class) - http://www.compaq.com/athome/support/PCHInstallTrust01.cab
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://www3.compaq.com/support/sndetect/CSND_AX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095036943015
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/applets/msie40x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {DBB2DE32-61F1-4F7F-BEB8-A37F5BC24EE2} (MozillaPluginHostCtrl Class) - http://www.musicnotes.com/download/adaptor.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:46 AM

Posted 20 May 2005 - 04:46 PM

Hi SOLANGE. LOP in and of itself is not that difficult to remove and AdAware usually takes care of it unless there is something hidden that is holding it in place. We'll check for that and also see if we can't get your Norton running properly again.

Messenger Plus is not made by nore sold by Microsoft. It is a 3rd party application that uses LOP to popup advertising on your computer.

Go ahead and empty the Norton Protected Recycle bin. What that does is hold files that you have deleted and emptied from the Windows Recycle Bin just in case you want to restore them later.

The other files you mentioned are either legitimate or in quarantine by one of the various scanning applications. That's Ok that they are there but if you want to remove them then start whatever application has them in quarantine and delete the quarantined files from within the application.

Ok, let's scan for some hidden files. Download PFind.zip and unzip the contents to its own permanent folder.

Important! Reboot in SAFE MODE !!

Start in Safe Mode Using the F8 method:
  • Restart the computer in Safe Mode.
  • As soon as the BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Locate the pfind.bat file and double-click it to run it. It will start scanning your computer and could take a little while so be patient. When the DOS window closes, reboot back to normal mode.

Post the contents of C:\pfind.txt back here and I will review it when it comes in.

To repair Norton, completely uninstall and reinstall the Symantec products that you currently have. Many infections will attempt to disable any anti-virus application that you have running so that they can freely do their work. The only way to estblish the anti-virus application is to remove it and reinstall it.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 SOLANGE

SOLANGE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 21 May 2005 - 02:45 AM

Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\WINDOWS folder
C:\WINDOWS\RMAgentOutput.dll: UPX!
C:\WINDOWS\TELUS 2005 Calendar.scr: .aspack
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4


Checking the C:\WINDOWS\SYSTEM32 folder
C:\WINDOWS\SYSTEM32\msbb321.dll: UPX!
C:\WINDOWS\SYSTEM32\ntdll.dll: .aspack


Checking all directories under the C:\WINDOWS\SYSTEM32\drivers folder


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\All Users\Application Data folder



Checking the C:\Documents and Settings\Lisa Spencer\Start Menu\programs\Startup\ folder

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:46 AM

Posted 21 May 2005 - 02:48 PM

Hi SOLANGE. There is 1 file that we should get rid of here.

Download Pocket Killbox and unzip it to your desktop.
  • Double-click on KillBox.exe.
  • Click "Delete on Reboot".
  • Paste the line below into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\SYSTEM32\msbb321.dll
  • Click the "Delete File" button which looks like a stop sign.
  • Click "Yes" at the Delete on Reboot prompt.
  • Click "Yes" at the Delete next Reboot prompt.
  • If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
After the reboot start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 SOLANGE

SOLANGE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 21 May 2005 - 10:21 PM

OT.....everything went perfectly. Haven't reinstalled Norton yet, as I can't find my disk. I still get browser hijack attempts (IE Search Bar) every time I reboot, and that WebSearch bar is still at the bottom of the IE window. Not on Mozilla though. Thanks again for your help.


Logfile of HijackThis v1.99.1
Scan saved at 8:08:05 PM, on 21/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Lisa Spencer\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.uvzuvtblkcmhcmzszgjh.com/7Pt9yr...h0wYwzIoyPw.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.mytelus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.praise1065.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.windowsupdate.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.windowsupdate.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
O4 - HKCU\..\Run: [2time] C:\DOCUME~1\LISASP~1\APPLIC~1\LIESGR~1\WebRefHide.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {BFE619B4-0BD3-444C-89F1-54E5D405242D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=1009
O16 - DPF: Animal Ark by pogo - http://play07.pogo.com/applet/animal/animal-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet/backgammon/b...n-ob-assets.cab
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.29/ca...a-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.0...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://domino01.pogo.com/applet/domino/domino-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.9.5.37/euc...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.8.5.28/...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18...o-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo - http://pool29.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.9.5.30/pool...l-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.5.37/gin/gin-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-5.9.5.30/keno/keno-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-5.9.5.30/mahj...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.9.5.37...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.1.28/fl...r-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire07.pogo.com/applet-5.8.3.2...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.5.37/pop...t-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-5.9.0.18...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.4.30/ho...m-ob-assets.cab
O16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.3.26/t...2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-5.9.5.30/peak...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.9.4.30/jum...e-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo15.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-5.9.5.37/vid...r-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/w...t-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.9.0.18/word...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.6.20/...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-5.9.4.22/w...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.9.1.28/w...s-ob-assets.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} (CHSInstaller Class) - http://www.compaq.com/athome/support/PCHInstallTrust01.cab
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://www3.compaq.com/support/sndetect/CSND_AX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095036943015
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/applets/msie40x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {DBB2DE32-61F1-4F7F-BEB8-A37F5BC24EE2} (MozillaPluginHostCtrl Class) - http://www.musicnotes.com/download/adaptor.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:46 AM

Posted 22 May 2005 - 09:08 AM

Hi SOLANGE. Ok, let's try and clear up this LOP infection again. Please print these directions and then proceed with the following steps in order.

Step #1

Start in Safe Mode Using the F8 method:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until the boot menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Documents and Settings\Lisa Spencer\APPLICATION DATA\LIESGR~1\WebRefHide.exe
Step #3

AdAware SE
  • Close ALL windows and start Ad-Aware SE.
  • Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.
  • Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window:
    • In the ‘General’ window make sure the following are selected in green:
      • Under Safety:
        • Automatically save log-file
      • Automatically quarantine objects prior to removal
      • Safe Mode (always request confirmation)
    • Under Definitions:
      • Prompt to update outdated definitions - set the number of days
  • Click on the ‘Scanning’ button on the left and select in green:
    • Under Driver, Folders & Files:
      • Scan Within Archives
    • Under Select drives & folders to scan:
      • choose all hard drives
    • Under Memory & Registry: all green
      • Scan Active Processes
      • Scan Registry
      • Deep Scan Registry
      • Scan my IE favorites for banned URL’s
      • Scan my Hosts file
  • Click on the ‘Advanced’ button on the left and select in green:
    • Under Shell Integration:
      • Move deleted files to recycle bin
    • Under Logfile Detail Level: all green
      • include addtional object information
      • DESELECT - include negligible objects information
      • include environment information
    • Under Alternate Data Streams:
      • Don't log streams smaller than 0 bytes
      • Don't log ADS with the following names: CA_INOCULATEIT
  • Click the ‘Tweak’ button and select in green:
    • Under ‘Scanning Engine’:
      • Unload recognized processes during scanning
      • Scan registry for all users instead of current user only
    • Under ‘Cleaning Engine’:
      • Let Windows remove files in use at next reboot
    • Under Log Files:
      • Include basic Ad-aware SE settings in logfile
      • Include additional Ad-aware SE settings in logfile
      • Please do not check: Include Module list in logfile
  • Click on ‘Proceed’ to save the settings.
  • Click ‘Start’
  • Choose 'Perform Full System Scan'
  • DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.
  • Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.
  • If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window
  • Save the log file when it asks and then click ‘Finish’
  • REBOOT to complete the removal of what Ad-Aware SE found.
Step #4

Start HijackThis and click the Scan button to perform a scan. Look for the following items and click in the checkbox in front of each item to select it:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.uvzuvtblkcmhcmzszgjh.com/7Pt9yr...h0wYwzIoyPw.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKCU\..\Run: [2time] C:\DOCUME~1\LISASP~1\APPLIC~1\LIESGR~1\WebRefHide.exe

Now close ALL open windows except HijackThis and click the Fix Checked button to finish the repair.

Step #5

OK. Reboot your computer normally, start HijackThis and perform a new scan. Use the Add Reply button to post your new log file back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 SOLANGE

SOLANGE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 22 May 2005 - 06:28 PM

Hi OT

Step 5 was cut off, please repeat. Thanks!

CANCEL THAT - I can see it now!!

Edited by SOLANGE, 22 May 2005 - 06:29 PM.


#12 SOLANGE

SOLANGE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 26 May 2005 - 02:56 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:53:14 PM, on 26/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Documents and Settings\Lisa Spencer\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.mytelus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.praise1065.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.windowsupdate.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.windowsupdate.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AOL Instant Messenger ™ - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {BFE619B4-0BD3-444C-89F1-54E5D405242D} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O12 - Plugin for .MTD: C:\Program Files\Internet Explorer\Plugins\npmusicn.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=1009
O16 - DPF: Animal Ark by pogo - http://play07.pogo.com/applet/animal/animal-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet/backgammon/b...n-ob-assets.cab
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-5.9.3.29/ca...a-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet-6.0.0...g-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://domino01.pogo.com/applet/domino/domino-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.9.5.37/euc...e-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://solitaire.pogo.com/applet-5.8.5.28/...2-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5.8.4.18...o-ob-assets.cab
O16 - DPF: Hammerhead Pool by pogo - http://pool29.pogo.com/applet/pool/pool-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.9.5.30/pool...l-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.5.37/gin/gin-ob-assets.cab
O16 - DPF: Keno by pogo - http://keno.pogo.com/applet-5.9.5.30/keno/keno-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-5.9.5.30/mahj...g-ob-assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://waterwheel.pogo.com/applet-5.9.5.37...l-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://flinger.pogo.com/applet-5.9.1.28/fl...r-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://solitaire07.pogo.com/applet-5.8.3.2...d-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet/popfu/popfu-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://poppit.pogo.com/applet-5.9.5.37/pop...t-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet/squelchi...s-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-5.9.0.18...h-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.4.30/ho...m-ob-assets.cab
O16 - DPF: Top Down Baseball Challenge by pogo - http://topdown2.pogo.com/applet-5.8.3.26/t...2-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-5.9.5.30/peak...s-ob-assets.cab
O16 - DPF: Tumble Bees by pogo - http://jumbee.pogo.com/applet-5.9.4.30/jum...e-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://turbo15.pogo.com/applet/turbo21/turbo21-ob-assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-5.9.5.37/vid...r-ob-assets.cab
O16 - DPF: Word Riot by pogo - http://wordriot.pogo.com/applet/wordriot/w...t-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://whomp.pogo.com/applet-5.9.0.18/word...p-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8.6.20/...n-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-5.9.4.22/w...g-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://klondike.pogo.com/applet-5.9.1.28/w...s-ob-assets.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab28578.cab
O16 - DPF: {29C13B62-B9F7-4CD3-8CEF-0A58A1A99441} - http://fdl.msn.com/public/chat/msnchat41.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe
O16 - DPF: {53406295-12AB-4F49-824A-C5EAD19365DE} (CHSInstaller Class) - http://www.compaq.com/athome/support/PCHInstallTrust01.cab
O16 - DPF: {5CE8C9BE-B561-4311-8C03-D6F6C1CAF7E1} (CSND_AX.ctlCSND_AX) - http://www3.compaq.com/support/sndetect/CSND_AX.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1095036943015
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {8D83D301-E841-11D1-B155-00600823BCF9} (WebLine Browser Integration Classes) - http://live.landsend.com/webline/applets/msie40x.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security2.norton.com/SSC/SharedCont...c/bin/cabsa.cab
O16 - DPF: {DBB2DE32-61F1-4F7F-BEB8-A37F5BC24EE2} (MozillaPluginHostCtrl Class) - http://www.musicnotes.com/download/adaptor.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://utu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E09F6B38-3A0D-11D3-B5E7-0008C7BF61F2} (DetectMN) - http://www.musicnotes.com/download/npmusicn.cab
O16 - DPF: {E87A6788-1D0F-4444-8898-1D25829B6755} - http://fdl.msn.com/public/chat/msnchat4.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab28578.cab
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - Unknown owner - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#13 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:46 AM

Posted 26 May 2005 - 06:25 PM

Hi SOLANGE. Your log is clean. Good job! How are things running? Any problems?

If you are still having problems with Norton then completely uninstall all Symantec products and reinstall them.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:and a good antivirus like the one you are currently using. It is critical to have both a firewall and an anti-virus application and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#14 SOLANGE

SOLANGE
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:46 AM

Posted 27 May 2005 - 02:08 AM

Thank you very much! One last note......I could not find System Restore via My Computer/Properties.......I had to go into Control Panel/System/System Restore. I had turned off System Restore before I contacted you, and it remained off throughout the whole process. I enabled it tonight. Do I still need to turn it off and then on again?

Thanks for the tips on staying clean!

#15 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:01:46 AM

Posted 27 May 2005 - 12:57 PM

If it was off until after the cleanup then you should be ok. We don't ususally recommend turning it off and cleaning it out until the end of the process because if somehting goes wrong an infected restore is better than no restore at all. You should be fine with what you have.

Now that your issues have been resolved I will close this topic. If you need it reopened for this same issue then please PM me. If you have any new issues in the future then please start a new topic.

Cheers.

Keep on computing!

OT :thumbsup:
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users