Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AV Gold followons


  • Please log in to reply
11 replies to this topic

#1 philphil

philphil

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 07 July 2005 - 11:10 AM

Greetings, and thank you for a wonderful place!
I had Anti-Virus Gold. Your forum appeared to have the most thorough instructions for removing it, which I followed. I also followed the steps for the typical companion programs, but did not appear to have the ones specified. Remaining problems: home page gets reset to about:blank, keystrokes are VERY slow, pop-ups still popping up; all search tools get rewritten. Desktop no longer gets overlaid with the AV Gold display, but DOES get overlaid as all white (normal icons still visible and working). I have updated my Norton, my Spybot, my Adaware and rerun numerous times; all find problems which continue to come back. None gets rid of the remaining symptoms. Thank you for any assistance you might offer.

Logfile of HijackThis v1.99.1
Scan saved at 8:57:38 AM, on 7/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\atlmw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Phil Kellogg\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vbkig.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vbkig.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\vbkig.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\vbkig.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\vbkig.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vbkig.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\vbkig.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7205A0FB-03A3-29B0-F193-EEC35EB9D77B} - C:\WINDOWS\apikt32.dll
O2 - BHO: Class - {87684604-6852-F5FC-07A8-F01DC933DBA2} - C:\WINDOWS\sysxn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F9D7B838-0128-DA47-424A-9E6B5C35E7D6} - C:\WINDOWS\system32\iesq32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [atlmw.exe] C:\WINDOWS\atlmw.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunOnce: [netqn.exe] C:\WINDOWS\netqn.exe
O4 - HKLM\..\RunOnce: [javaig.exe] C:\WINDOWS\javaig.exe
O4 - HKLM\..\RunOnce: [atlnr.exe] C:\WINDOWS\system32\atlnr.exe
O4 - HKLM\..\RunOnce: [winjp.exe] C:\WINDOWS\winjp.exe
O4 - HKLM\..\RunOnce: [ipmm32.exe] C:\WINDOWS\ipmm32.exe
O4 - HKLM\..\RunOnce: [netqw32.exe] C:\WINDOWS\netqw32.exe
O4 - HKLM\..\RunOnce: [javatj32.exe] C:\WINDOWS\system32\javatj32.exe
O4 - HKLM\..\RunOnce: [atlej32.exe] C:\WINDOWS\system32\atlej32.exe
O4 - HKLM\..\RunOnce: [d3hr32.exe] C:\WINDOWS\d3hr32.exe
O4 - HKLM\..\RunOnce: [apput.exe] C:\WINDOWS\system32\apput.exe
O4 - HKLM\..\RunOnce: [ipjd32.exe] C:\WINDOWS\system32\ipjd32.exe
O4 - HKLM\..\RunOnce: [addvf.exe] C:\WINDOWS\addvf.exe
O4 - HKLM\..\RunOnce: [apimy.exe] C:\WINDOWS\system32\apimy.exe
O4 - HKLM\..\RunOnce: [atlun.exe] C:\WINDOWS\system32\atlun.exe
O4 - HKLM\..\RunOnce: [atlvj.exe] C:\WINDOWS\system32\atlvj.exe
O4 - HKLM\..\RunOnce: [ipgj.exe] C:\WINDOWS\ipgj.exe
O4 - HKLM\..\RunOnce: [iprx32.exe] C:\WINDOWS\iprx32.exe
O4 - HKLM\..\RunOnce: [netvm.exe] C:\WINDOWS\netvm.exe
O4 - HKLM\..\RunOnce: [javaao.exe] C:\WINDOWS\javaao.exe
O4 - HKLM\..\RunOnce: [addev32.exe] C:\WINDOWS\addev32.exe
O4 - HKLM\..\RunOnce: [crdd32.exe] C:\WINDOWS\crdd32.exe
O4 - HKLM\..\RunOnce: [winoz.exe] C:\WINDOWS\system32\winoz.exe
O4 - HKLM\..\RunOnce: [sysxg.exe] C:\WINDOWS\system32\sysxg.exe
O4 - HKLM\..\RunOnce: [javadq.exe] C:\WINDOWS\system32\javadq.exe
O4 - HKLM\..\RunOnce: [iehs.exe] C:\WINDOWS\system32\iehs.exe
O4 - HKLM\..\RunOnce: [apilz32.exe] C:\WINDOWS\apilz32.exe
O4 - HKLM\..\RunOnce: [d3po.exe] C:\WINDOWS\d3po.exe
O4 - HKLM\..\RunOnce: [sysil32.exe] C:\WINDOWS\sysil32.exe
O4 - HKLM\..\RunOnce: [mfchy.exe] C:\WINDOWS\system32\mfchy.exe
O4 - HKLM\..\RunOnce: [wingk32.exe] C:\WINDOWS\system32\wingk32.exe
O4 - HKLM\..\RunOnce: [sysnq.exe] C:\WINDOWS\sysnq.exe
O4 - HKLM\..\RunOnce: [ipaq32.exe] C:\WINDOWS\ipaq32.exe
O4 - HKLM\..\RunOnce: [nttd.exe] C:\WINDOWS\nttd.exe
O4 - HKLM\..\RunOnce: [iejw.exe] C:\WINDOWS\system32\iejw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094442367257
O18 - Protocol: wavetop - {2828353E-8B60-11D1-821D-00609720131C} - (no file)
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\iehv32.exe" /s (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 philphil

philphil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 07 July 2005 - 01:34 PM

thanks.
NONE of the processes stated were running.
NONE of the registry entries stated exist.
NONE of the directories mentioned exist.
the ONLY file mentioned that exists is uninst.exe which is in 2 places:
C:\WINDOWS
C:\Program...\Common...\Adobe\ESD
Are these safe to delete?

I forgot to mention also 3 apparently bogus installed programs (control panel add/remove programs):
Home Search Assistant
Search Extender
Shopping Wizard

Also, added to my favorites in IE are Search The Web, Seven days of free porn, only sex site, and a folder called sites about.

Am I tracking the right problem or has some other nasty invaded?

#3 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:33 PM

Posted 08 July 2005 - 09:59 PM

If you still need help, could you post a fresh log please?

#4 philphil

philphil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 09 July 2005 - 05:38 PM

Thanks, groovicus, I should have thought to post another log. Still a problem.
Additional details:
1) Normal desktop background displays for a minute or so at boot, then is overlaid in white (icons still visible and functional). There is no longer an AV Gold advertisement.
2) Keystrokes still VERY slow.
Popups still occur.
3) 3 apparently bogus installed programs (control panel add/remove programs):
Home Search Assistant
Search Extender
Shopping Wizard
Attempts to remove any of the 3 via control panel take me to a webpage that seems like a landmine ("click here to uninstall..."). I have not attempted to uninstall this way.
4) Added to my favorites in IE are Search The Web, Seven days of free porn, only sex site, and a folder called sites about. Delete them and they come back.
5) When I followed the instructions you linked me to earlier, I had the following results:
NONE of the processes stated were running.
NONE of the registry entries stated exist.
NONE of the directories mentioned exist.
the ONLY file mentioned that exists is uninst.exe which is in 2 places:
(1) C:\WINDOWS\
(2) C:\Program Files...\Common...\Adobe\ESD\

RE: uninst.exe, I have NOT yet deleted. Are these safe to delete?

Here's da log:

Logfile of HijackThis v1.99.1
Scan saved at 3:22:52 PM, on 7/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\atlmw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Documents and Settings\Phil Kellogg\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tssbk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tssbk.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tssbk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tssbk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tssbk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tssbk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tssbk.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {08736D47-A3C8-226F-519D-E7C2EDCAB7AF} - C:\WINDOWS\netiv.dll
O2 - BHO: Class - {0FD1DEEA-1A6E-D2A8-546F-C5B4E5E41E0C} - C:\WINDOWS\sdkid32.dll
O2 - BHO: Class - {22D53F6A-DD3C-EB55-CAAE-B1040F97DC94} - C:\WINDOWS\system32\iece32.dll
O2 - BHO: Class - {2ABCDE08-6852-2323-22DC-5C16F8D261E9} - C:\WINDOWS\atlvb.dll
O2 - BHO: Class - {34AA49E4-4ACB-EE28-1C88-D1ECE6822FF6} - C:\WINDOWS\system32\ntgx.dll
O2 - BHO: Class - {3C6D6FE2-DACB-D02F-CE7A-FC690B77B352} - C:\WINDOWS\system32\mfczm.dll
O2 - BHO: Class - {3D04ED84-CB60-D0D7-5B32-B6E17342655A} - C:\WINDOWS\systa.dll
O2 - BHO: Class - {424F05AC-4537-F0B2-7345-6197152A9E72} - C:\WINDOWS\ipug.dll
O2 - BHO: Class - {4873121D-827E-1BD4-1A2C-B5A0C13C9785} - C:\WINDOWS\system32\ieua.dll
O2 - BHO: Class - {4A8FA403-6D03-3DF6-B04E-8F3E905BDA8C} - C:\WINDOWS\system32\apirr32.dll
O2 - BHO: Class - {57031518-1EF5-9E36-92EF-3E4E0944F8D1} - C:\WINDOWS\ntml32.dll
O2 - BHO: Class - {5A0FBFB4-9E43-D3EA-1A21-B85429F80041} - C:\WINDOWS\system32\ipyr32.dll
O2 - BHO: Class - {64A40FD6-3F01-0899-EE8F-4225375C5060} - C:\WINDOWS\system32\appfv.dll
O2 - BHO: Class - {6F99FDED-7DA7-05E7-9D9B-E6541DE22E40} - C:\WINDOWS\ipad32.dll
O2 - BHO: Class - {77B53978-2565-4255-4344-BD6EFAFEAEB8} - C:\WINDOWS\system32\mswk.dll
O2 - BHO: Class - {7B4A8261-0A80-402A-F1BE-9B2ACBFECDD5} - C:\WINDOWS\system32\msyl32.dll
O2 - BHO: Class - {7E35BA92-B311-70A1-8E0E-EE430F0CC372} - C:\WINDOWS\netgm.dll
O2 - BHO: Class - {83BDAA20-9B1F-DFEE-99E7-B23F0E432EFD} - C:\WINDOWS\sdksi32.dll
O2 - BHO: Class - {9041DC7F-A546-4FA4-2F1E-B74E22A722FE} - C:\WINDOWS\system32\mfclx.dll
O2 - BHO: Class - {95403FF6-A690-5E88-C0B4-C7CE6F234369} - C:\WINDOWS\d3jn32.dll
O2 - BHO: Class - {A0F0E2D2-FBEE-BE6A-FC88-3650DC964D83} - C:\WINDOWS\system32\sdkuk32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: Class - {AB11BFD8-F768-A97B-25D0-43DBC905C3DD} - C:\WINDOWS\mfcbv.dll
O2 - BHO: Class - {B0030846-0596-1454-D1AE-FC69B7F19AC8} - C:\WINDOWS\system32\ntcc32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {E0C391EC-E5DC-2EB5-4D6C-E96F55D9CF3A} - C:\WINDOWS\system32\sysvk.dll
O2 - BHO: Class - {E1696EBA-5E59-F225-7A9B-61EA1D4C0CF7} - C:\WINDOWS\system32\apiec32.dll
O2 - BHO: Class - {F3DEB5FA-0E08-9347-26D3-A5F3D9AB08A4} - C:\WINDOWS\system32\netpp32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [atlmw.exe] C:\WINDOWS\atlmw.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\RunOnce: [netqn.exe] C:\WINDOWS\netqn.exe
O4 - HKLM\..\RunOnce: [sysil32.exe] C:\WINDOWS\sysil32.exe
O4 - HKLM\..\RunOnce: [systn.exe] C:\WINDOWS\system32\systn.exe
O4 - HKLM\..\RunOnce: [sdkgb32.exe] C:\WINDOWS\sdkgb32.exe
O4 - HKLM\..\RunOnce: [atlyy.exe] C:\WINDOWS\atlyy.exe
O4 - HKLM\..\RunOnce: [ntiq.exe] C:\WINDOWS\ntiq.exe
O4 - HKLM\..\RunOnce: [apiqo32.exe] C:\WINDOWS\system32\apiqo32.exe
O4 - HKLM\..\RunOnce: [apitx.exe] C:\WINDOWS\system32\apitx.exe
O4 - HKLM\..\RunOnce: [atlir.exe] C:\WINDOWS\system32\atlir.exe
O4 - HKLM\..\RunOnce: [crab32.exe] C:\WINDOWS\crab32.exe
O4 - HKLM\..\RunOnce: [d3ar32.exe] C:\WINDOWS\d3ar32.exe
O4 - HKLM\..\RunOnce: [ipph32.exe] C:\WINDOWS\ipph32.exe
O4 - HKLM\..\RunOnce: [ntei32.exe] C:\WINDOWS\ntei32.exe
O4 - HKLM\..\RunOnce: [atlrk32.exe] C:\WINDOWS\system32\atlrk32.exe
O4 - HKLM\..\RunOnce: [ntws.exe] C:\WINDOWS\system32\ntws.exe
O4 - HKLM\..\RunOnce: [atlbu32.exe] C:\WINDOWS\system32\atlbu32.exe
O4 - HKLM\..\RunOnce: [sysif32.exe] C:\WINDOWS\system32\sysif32.exe
O4 - HKLM\..\RunOnce: [crwt32.exe] C:\WINDOWS\system32\crwt32.exe
O4 - HKLM\..\RunOnce: [javaox.exe] C:\WINDOWS\system32\javaox.exe
O4 - HKLM\..\RunOnce: [apitr.exe] C:\WINDOWS\apitr.exe
O4 - HKLM\..\RunOnce: [crxh32.exe] C:\WINDOWS\system32\crxh32.exe
O4 - HKLM\..\RunOnce: [netvn.exe] C:\WINDOWS\netvn.exe
O4 - HKLM\..\RunOnce: [msdo.exe] C:\WINDOWS\system32\msdo.exe
O4 - HKLM\..\RunOnce: [mstf.exe] C:\WINDOWS\system32\mstf.exe
O4 - HKLM\..\RunOnce: [crpy.exe] C:\WINDOWS\crpy.exe
O4 - HKLM\..\RunOnce: [netso32.exe] C:\WINDOWS\system32\netso32.exe
O4 - HKLM\..\RunOnce: [crej32.exe] C:\WINDOWS\crej32.exe
O4 - HKLM\..\RunOnce: [winpf.exe] C:\WINDOWS\winpf.exe
O4 - HKLM\..\RunOnce: [sdkxl.exe] C:\WINDOWS\system32\sdkxl.exe
O4 - HKLM\..\RunOnce: [sdkhx.exe] C:\WINDOWS\sdkhx.exe
O4 - HKLM\..\RunOnce: [addea.exe] C:\WINDOWS\addea.exe
O4 - HKLM\..\RunOnce: [cryp32.exe] C:\WINDOWS\cryp32.exe
O4 - HKLM\..\RunOnce: [apidr.exe] C:\WINDOWS\apidr.exe
O4 - HKLM\..\RunOnce: [atlwp.exe] C:\WINDOWS\atlwp.exe
O4 - HKLM\..\RunOnce: [ntgm32.exe] C:\WINDOWS\system32\ntgm32.exe
O4 - HKLM\..\RunOnce: [ippv.exe] C:\WINDOWS\system32\ippv.exe
O4 - HKLM\..\RunOnce: [netyw.exe] C:\WINDOWS\netyw.exe
O4 - HKLM\..\RunOnce: [ntwy32.exe] C:\WINDOWS\ntwy32.exe
O4 - HKLM\..\RunOnce: [d3vr32.exe] C:\WINDOWS\d3vr32.exe
O4 - HKLM\..\RunOnce: [addnn.exe] C:\WINDOWS\system32\addnn.exe
O4 - HKLM\..\RunOnce: [iefw32.exe] C:\WINDOWS\iefw32.exe
O4 - HKLM\..\RunOnce: [appmk32.exe] C:\WINDOWS\appmk32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094442367257
O18 - Protocol: wavetop - {2828353E-8B60-11D1-821D-00609720131C} - (no file)
O23 - Service: Remote Procedure Call (RPC) Helper ( 11F#`I) - Unknown owner - C:\WINDOWS\netqn.exe" /s (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#5 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:33 PM

Posted 09 July 2005 - 05:48 PM

You have a good CWS infection.... this fix is lengthy, but it works..

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.
(Click on Print this topic in the upper RH corner.)

STEP 1:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here.

STEP 2:
Please download Trend Micro CWShredder here.
Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 3:
Download AboutBuster from RubbeR DuckY here
Save it to its own folder named AboutBuster and place it at the root of your C:\drive along with HijackThis.
Double-click AboutBuster.exe and press Update to make sure you have the latest reference file version.
NOTE: You might want to view this AboutBuster tutorial here first before running the tool.
Don't run it yet, we will use it later.

STEP 4:
Download and install the latest version of Ad-Aware SE here
NOTE: If you are still using the older Ad-Aware 6, go to Add/Remove Programs in the Control Panel and uninstall it now before installing Ad-Aware SE.
Please configure the program by following these instructions here.
Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

STEP 5:
Download the eScan Antivirus Toolkit here.
Save it to the desktop. This program is 10MB in size.
Don't run it yet, we will use it later.

STEP 6:
Download and install the Ewido Security Suite
NOTE: The Ewido Security Suite utility will not install on Windows 95, 98, ME, or NT. The minimum system requirements for Ewido Security Suite is: Windows 2000 or Windows XP. 1.) Download and install the Ewido Security Suite here
2.) Double-click on the new e Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.
STEP 7:
If you are using Windows 2000 or XP, you must first STOP and DISABLE the rogue service:
There are different Display Names to look for:
  • Workstation NetLogon Service
  • Remote Procedure Call (RPC) Helper
  • Remote Access Service
  • Network Security Service (NSS)
Go to Start => Run and type "Services.msc" (without quotes) then click Ok. 1.) Scroll down and find one of the bad services described above such as: Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.
STEP 8:
If you are using Windows 2000 or XP, copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\O.#?´]

If you are using Windows 98, ME, copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg. Change the Save as Type to All Files, Save this file on the desktop. Please DO NOT include the word QUOTE when saving the file.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

STEP 9:
Please reboot into Safe Mode. For instructions click here
Get into Safe Mode using the F8 Key on your keyboard:1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).
STEP 10:
From Safe Mode, double-click on cwshredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds. After its scan, click Next, then Exit.

STEP 11:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe. 1.) Click Begin Removal and allow the program to run.
2.) After AboutBuster has finished click OK. It will now open a new page, click on the Protection tab and follow the instructions for protection on that page.
3.) Now click Exit and then click OK to the Logfile created dialog box.
STEP 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:1.) Double-click on the mwav.exe file saved to the desktop. A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "1xx file(s) unzipped successfully" will appear, click OK. After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears. In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive. eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed. To close the interface, click OK, click Exit, then click Exit again.
STEP 13:
From Safe Mode, run the Ewido Security Suite.
NOTE: Windows 2000 and XP only. 1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click the Settings button, under What to scan? click Scan every file, click OK.
4.) Click the Complete System Scan button.
5.) Have the program delete everything it finds.
STEP 14:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds. Run the program again a second time.

STEP 15:
From Safe Mode, double-click on the cwsresfix.reg you created earlier and when it prompts to merge say yes, and this will clear some registry entries left behind by the process. Now reboot the PC back into Normal Mode (Windows).

STEP 16:
Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

STEP 17:
This infection may delete the Windows shell.dll file and the control.exe file. Make sure you always perform a Windows search for these files after the cleanup. If you are using Windows 2000, or XP, go to Start, Search, For Files or Folders, and type in shell.dll.
For Windows 2000, it will be found here:
  • C:\WINNT\System32
  • C:\WINNT\System
For Windows XP, it will be found here:
  • C:\Windows\System32
  • C:\Windows\System
Now look for the control.exe file.
For Windows 2000 it will be found here:
  • C:\WINNT\System32
For Windows XP it will be found here:
  • C:\Windows\System32
If any of these files are missing in 2000 or XP, they can be replaced from the dllcache folder.
For Windows 2000, a replacement can be found here:
  • C:\WINNT\System32\dllcache
For Windows XP, a replacement can be found here:
  • C:\Windows\System32\dllcache
Now copy and paste the file(s) from the dllcache folder into the proper folder (shown above) according to your version of Windows.

The files shell.dll and control.exe can also be downloaded. They can be downloaded from here.
Once the file(s) are downloaded extract the file(s) and copy them into the proper folder (shown above) according to your version of Windows.
If you are using Windows 98, ME please download shell.dll or control.exe from here.
Once the file(s) are downloaded extract the file and copy it to the following locations:
Place control.exe here:
  • C:\Windows
Place shell.dll here:
  • C:\Windows\System
If you are still experiencing problems after completing the removal steps above, please post your HijackThis log in the Spyware/Malware Help forum for review.

#6 philphil

philphil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 11 July 2005 - 01:37 PM

thanks. ONE PROBLEM: the contents of the quote box for STEP 8 display (and copy) as mostly garbage charcters (beginning at line 7 through the end of the box); this step is the registry fixes for XP. oddly, the box for step 9 (Win 98 registry fixes) displays as completely readable. Unfortunately, I'm on XP and therefore need the step 8 stuff. Can you re-post the XP registry fixes? Meanwhile, I'll begin downloading the necessary utilities but will not begin implementing the fix until I have all tools in hand.
Thanks very much.
- phil

#7 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:33 PM

Posted 11 July 2005 - 05:33 PM

Do you mean this part?

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\�%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F฿ไ #ทบฤึ`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\O.#?´]


The file names really look that way... or did you mean the rest of it was unreadable? :thumbsup:

#8 philphil

philphil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 11 July 2005 - 06:53 PM

no, you're correct, i DID mean the part you quoted with the weird little boxes, etc. i did not think they looked like legit file names and wondered if something had been lost in translation somehow. thanks, and i will be attacking tomorrow after i have everything assembled.

#9 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:33 PM

Posted 11 July 2005 - 07:13 PM

That's part of what makes this difficult to kill.. they make the file names look weird and mysterious, and you can't just type the name into a command box to kill it because it uses (guessing here) Cryllic characters.

#10 philphil

philphil
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 12 July 2005 - 05:25 PM

Greetings and heartfelt thanks, Groovicus!
Virtually all AVGold and CWS demons have been vanquished on my system (see log below). One remaining issue is that my normal desktop image display shows for several seconds on boot, then (still) gets overlaid with all white - all icons display and function, so this is not a big deal (other than missing my cat's picture :thumbsup: ). I've re-applied the desktop through control panel/display and it still won't stick. Believe me, this is NOT a big deal and I only mention it to see if it is the symptom of something uglier or you happen to know a fix.

STATUS:
rogue programs and search tools GONE
keystrokes far peppier than before
homepage stays home
rogue RPC helper GONE
wife no longer nagging me to fix the damn computer

I won't close close this topic yet in case you have a suggestion as to the white desktop. BTW, I will be sending a "non-monetary contribution" via USPS from Hands Solo Music.

Logfile of HijackThis v1.99.1
Scan saved at 2:59:33 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Documents and Settings\Phil Kellogg\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Internet Explorer.lnk = C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1094442367257
O18 - Protocol: wavetop - {2828353E-8B60-11D1-821D-00609720131C} - (no file)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#11 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:01:33 PM

Posted 12 July 2005 - 05:58 PM

Your log looks just spiffy. I'm not sure what to tell you about the desktop. Removal of this infection has been causing problems as of late, and I'm not sure why. The solution to your problem is probably some tiny little fix, unfortunately I don't know what that is. I have a suspicion that it is about:buster causing an issue, but I need to check with the maker and see if he has any ideas. Other than that, you did very well. :thumbsup:

#12 bryan5255

bryan5255

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:01:33 PM

Posted 15 December 2005 - 03:46 AM

I don't know if this helps any, but I have the same problem with my desktop. I also just had a virus, but I had the 'your computer is infected' virus. If you want to know more about that do a search on here and you'll find loads blogs. Anyways, I noticed that two of my backgrounds are formatted differently. One is called Zapotec and i don't know what it's formatted with but it has a picture of a paintbrush on a piece of paper. The other one is called desktop and is formatted with Internet Explorer. I don't know if those are supped to be there or not. I also noticed that ocationally I can change the color of the background. I hope these things help, for both of our sakes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users