Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Got Something - Not Exactly Sure What


  • Please log in to reply
14 replies to this topic

#1 RalphH

RalphH

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 29 March 2006 - 10:32 AM

Hi folks - I'm helping a friend get his laptop cleaned up. Spybot/AdAware/Ewido has gotten a lot of garbage off his laptop, but still getting some popup ads. Here the HJT log, and thanks in advance for the help.

Y'all are the best! - Thanks, Ralph
*****************************************************
Logfile of HijackThis v1.99.1
Scan saved at 10:27:28 AM, on 3/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\surfmonkey\smproxy.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\SYSTEM32\m?iexec.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKCU\..\Run: [Service Drivers] msnpg.exe
O4 - HKCU\..\Run: [Yekapyc] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\FNTS~1\winlogon.exe" -vt ndrv
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunServices: [Service Drivers] msnpg.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.earthlink.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54GSv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe (file missing)

BC AdBot (Login to Remove)

 


#2 RalphH

RalphH
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 30 March 2006 - 04:26 PM

bump

#3 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:22 AM

Posted 01 April 2006 - 04:06 PM

Hi there and welcome to Bleeping Computer ! :thumbsup:

As you may have noticed already, the forums are very busy at the moment and i have noticed your log has gone unanswered so far!

We look at the oldest logs first, and we were wondering that if you still need help, please start by posting a new HijackThis log in this topic and i will then be able to take a look!

Thanks very much :flowers:

David

#4 RalphH

RalphH
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 03 April 2006 - 09:09 AM

Hi David, and thanks for your response!

I'm guessing that this HJT log might not be very different from the first one, since this laptop has essentially been out of service since I first posted. Other than following the basic guidelines about actions to perform before posting the HJT log, the only other thing I've done is run Ewido against this laptop.

Thanks again for offering to help. I really do appreciate it very much!

Ralph in South Carolina, where the azaleas are blooming like crazy!
**********************************
Logfile of HijackThis v1.99.1
Scan saved at 9:59:32 AM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\surfmonkey\smproxy.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\m?iexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKCU\..\Run: [Service Drivers] msnpg.exe
O4 - HKCU\..\Run: [Yekapyc] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\FNTS~1\winlogon.exe" -vt ndrv
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\RunServices: [Service Drivers] msnpg.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.earthlink.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54GSv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe (file missing)

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:22 AM

Posted 03 April 2006 - 10:53 AM

Hello there RalphH

*It is a good idea to print off these instructions - they will be needed later when internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
It is important that you complete the following instructions in the correct order, and also that you don't miss anything out! :thumbsup:

* Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

SurfMonkey

* Please set your system to show all files; please see here if you're unsure how to do this.

*Boot into Safe Mode (without networking support!)
By pressing the F8 key right when Windows starts, usually right after you hear your computer
beep when you reboot it (some versions of windows will display 'Starting Windows' with a grey progress bar)
you will be brought to a menu where you can choose to boot into safe mode.

*Now start a new scan with HJT and place a checkmark next to each of the following items (if present):

R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\Run: [Veritas Patch] veritas.exe
O4 - HKLM\..\Run: [msmc] C:\WINDOWS\System32\msmc.exe
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O4 - HKLM\..\Run: [ELNKProxy] C:\WINDOWS\surfmonkey\smproxy.exe
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\RunServices: [Veritas Patch] veritas.exe
O4 - HKCU\..\Run: [Service Drivers] msnpg.exe
O4 - HKCU\..\Run: [Yekapyc] C:\WINDOWS\System32\m?iexec.exe
O4 - HKCU\..\Run: [Ncao] "C:\PROGRA~1\COMMON~1\FNTS~1\winlogon.exe" -vt ndrv
O4 - HKCU\..\RunServices: [Service Drivers] msnpg.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)


* Make sure your Internet Explorer is closed and click on "Fix Checked" and exit HijackThis when finished.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\System32\msnpg.exe <--file
C:\WINDOWS\System32\wkssvrs.exe <--file
C:\WINDOWS\System32\veritas.exe <--file
C:\WINDOWS\System32\msmc.exe <--file
C:\WINDOWS\etb\pokapoka63.exe <--file
C:\WINDOWS\surfmonkey <--folder

* Please reboot back to normal mode.

* Please download the attached Ralphfix.bat and save it to your desktop. This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and copy the contents of the text file that opens back here.
[attachment=784:attachment]

* Next please navigate to the following folder:

C:\Program Files\Common Files

Can you tell me if there any any folders called "Fonts"? If so how many are there? Do any of the Fonts folders contain the file winlogon.exe? Please let me know.

* So please post back with:
1) A new hijackthis log
2) The results from Ralphfix.bat
3) The infomation about the "Fonts" folders.

David

#6 RalphH

RalphH
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 03 April 2006 - 01:33 PM

Hi again, David. Thanks again for all your great help! Latest HJT below.

I ran the batch file, and when it attempted to execute the m?iexec.exe, it couldn't find the file in the c:\windows\system32 directory, and thus the files.txt[ file that it dropped on the desktop was just an empty file. I assume this is a desirable result, since this is one of the buggers we were going after.

Also, there does exist under c:\progra~1\common~1 a fonts directory, which contains only an empty subfolder named FNTS~1.

Am I close to done? Hope so, and thanks!

Ralph
**********************************************
Logfile of HijackThis v1.99.1
Scan saved at 2:20:16 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network

Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network

Monitor\WUSB54GSv2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =

http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =

http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} -

C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} -

C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4}

- C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} -

C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} -

C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar -

{E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink

TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} -

C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator

5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program

Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet

Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]

C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP

Software Update\HPWuSchd2.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"

/background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink

TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program

Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.earthlink.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation -

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo

Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton

Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation -

C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton Internet Security\Norton

AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54GSv2SVC - Unknown owner - C:\Program Files\Linksys

Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe (file

missing)

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:22 AM

Posted 03 April 2006 - 01:56 PM

Please post a new HijackThis log and in Notepad be sure to click on Format and place a check mark beside "word wrap" so the log will be easier to read.
David :thumbsup:

#8 RalphH

RalphH
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 03 April 2006 - 02:39 PM

Hi again, David - hope this HJT is a bit easier on the eyes! Let me know if not, and thanks again.

Ralph
***********************************
Logfile of HijackThis v1.99.1
Scan saved at 3:33:30 PM, on 4/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.earthlink.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54GSv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe (file missing)

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:22 AM

Posted 03 April 2006 - 02:46 PM

Hey RalphH!

I'm very pleased...this log is looking excellent. I would like to see a new panda scan now, so if you could follow the instructions again for that, and post the log, that would be great!

David

#10 RalphH

RalphH
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 03 April 2006 - 03:40 PM

Hi again, David. So Panda thinks I've still got a bunch of spyware and even a handful of viruses, but I'm hoping that (other than the cookies), these are just remnants of killed spyware/viruses. Take a look and let me know what you think.

By the way, it seems that it displayed worse with word wrap, since the output was columnar, so I saved it with word wrap off. Let me know if you'd like it with word wrap on.

Thanks again! Ralph
**************************

Incident Status Location

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@888[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@belnk[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@btg.btgrab[2].txt
Spyware:Cookie/Centralmedia Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@centralmedia[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@dist.belnk[2].txt
Spyware:Cookie/empnads Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@empnads[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@i.screensavers[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@mmm.media-motor[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@offeroptimizer[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@rn11[1].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\uscflip@earthlink.net\Cookies\george levkoff@pop.mircx[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@888[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@belnk[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@btg.btgrab[2].txt
Spyware:Cookie/Centralmedia Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@centralmedia[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@dist.belnk[2].txt
Spyware:Cookie/empnads Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@empnads[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@i.screensavers[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@mmm.media-motor[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@offeroptimizer[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@rn11[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@tribalfusion[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@www.myaffiliateprogram[1].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@z1.adserver[1].txt
Adware:adware/hotoffers Not disinfected C:\Documents and Settings\george levkoff\Desktop\The Shield Professional 2005.lnk
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\george levkoff\Local Settings\Temp\!update.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\george levkoff\Local Settings\Temporary Internet Files\Content.IE5\4B8V4T0P\!update-3595[1].0000
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\george levkoff\Local Settings\Temporary Internet Files\Ssk.log
Adware:Adware/EliteBar Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc2.tmp1
Adware:Adware/EliteBar Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc3.tmp1
Adware:Adware/EliteBar Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc4.tmp1
Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc760.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc761.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc765.bmp
Adware:adware/bookedspace Not disinfected C:\WINDOWS\cfgmgr52.ini
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.INF
Virus:W32/Sasser.ftp Not disinfected C:\WINDOWS\SYSTEM32\cmd.ftp
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OLQFCT6N\bcuzZ[1].htm
Virus:W32/Sdbot.ftp Not disinfected C:\WINDOWS\SYSTEM32\i
Virus:Trj/Agent.ALP Not disinfected C:\WINDOWS\SYSTEM32\mskkk.exe
Adware:Adware/Hotoffers Not disinfected C:\WINDOWS\SYSTEM32\msodae.dll
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:22 AM

Posted 03 April 2006 - 05:08 PM

Hi RalphH

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\cfgmgr52.ini <--file
C:\WINDOWS\SYSTEM32\cmd.ftp <--file
C:\WINDOWS\SYSTEM32\i <--folder
C:\WINDOWS\SYSTEM32\mskkk.exe <--file
C:\WINDOWS\SYSTEM32\msodae.dll <--file
C:\WINDOWS\ubber60.ini <--file

* Go to start > run and type: regsvr32 /u occache.dll
(or copy and paste this in the field in start > run )
Click Ok

* Now search and delete:

C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.INF

* Go to start > run and type regsvr32 occache.dll

* Please empty your recycle bin.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\Documents and Settings\Nicholas\Local Settings\Temporary Internet Files\Ssk.log

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes.

After the reboot (important) please post back with a new Panda log and a HJT log.
David

Edited by D-Trojanator, 03 April 2006 - 05:09 PM.


#12 RalphH

RalphH
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 04 April 2006 - 04:45 PM

Hi again, David, and as always, thanks for all your great help!

I looked on this laptop for the file you mentioned (C:\Documents and Settings\Nicholas\Local Settings\Temporary Internet Files\Ssk.log) but I couldn't find it. I don't have a subdirectory of Nicholas under D&S.

Below are the latest Panda and HJT logs.

Thanks again! Ralph
****************************

Incident Status Location

Spyware:Cookie/888 Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@888[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@belnk[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@btg.btgrab[2].txt
Spyware:Cookie/Centralmedia Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@centralmedia[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@dist.belnk[2].txt
Spyware:Cookie/empnads Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@empnads[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@i.screensavers[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@mmm.media-motor[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@offeroptimizer[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\glevkoff@earthlink.net\Cookies\george levkoff@rn11[1].txt
Spyware:Cookie/Mircx Not disinfected C:\Documents and Settings\george levkoff\Application Data\Earthlink\6.0\uscflip@earthlink.net\Cookies\george levkoff@pop.mircx[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@888[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@belnk[1].txt
Spyware:Cookie/Btgrab Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@btg.btgrab[2].txt
Spyware:Cookie/Centralmedia Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@centralmedia[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@dist.belnk[2].txt
Spyware:Cookie/empnads Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@empnads[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@i.screensavers[1].txt
Spyware:Cookie/Media-motor Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@mmm.media-motor[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@offeroptimizer[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\george levkoff\Cookies\george levkoff@rn11[1].txt
Adware:adware/hotoffers Not disinfected C:\Documents and Settings\george levkoff\Desktop\The Shield Professional 2005.lnk
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\george levkoff\Local Settings\Temp\!update.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\george levkoff\Local Settings\Temporary Internet Files\Ssk.log
Adware:Adware/EliteBar Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc2.tmp1
Adware:Adware/EliteBar Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc3.tmp1
Adware:Adware/EliteBar Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc4.tmp1
Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc760.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc761.bmp
Adware:Adware/Exact.BargainBuddy Not disinfected C:\RECYCLER\S-1-5-21-284587905-645757453-568730901-500\Dc765.bmp
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OLQFCT6N\bcuzZ[1].htm
*****************************
Logfile of HijackThis v1.99.1
Scan saved at 4:58:26 PM, on 4/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.earthlink.com
O15 - Trusted Zone: http://download.windowsupdate.com
O15 - Trusted Zone: http://*.windowsupdate.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WUSB54GSv2SVC - Unknown owner - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54GSv2.exe (file missing)

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:22 AM

Posted 05 April 2006 - 02:45 AM

Hey Ralph!

Download KillBox from here: KillBox
Unzip the folder to your desktop.

* Start Killbox.exe
* Select the Delete on Reboot option.
* Click on the All Files button.
* Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\Documents and Settings\george levkoff\Local Settings\Temporary Internet Files\Ssk.log
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\MediaTicketsInstaller.INF
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\MediaTicketsInstaller.INF


* Go to the File menu of Killbox, and choose Paste from Clipboard.
NOTE: You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
* Click the Delete File button that is a red-and-white X. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

After the reboot please clear your temporary files and cookies using the following instructions:

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Then please remove all your Netscape cookies by following the insutrctions here:
http://businesssupport.wamu.com/knowbase/r.../wm_bb16001.htm

Please reboot and let me know how the computer is running.
David

#14 RalphH

RalphH
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:22 AM

Posted 06 April 2006 - 01:26 PM

Hi again, Dave. Thanks for all your help. Looks like this laptop is finally clear. I went in and manually eliminated some of the junk that Panda was still complaining about, but it appeared to be only stray bits of leftovers from removed spyware.

Again, thanks! You were a big, big help.

Ralph

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:22 AM

Posted 12 April 2006 - 10:15 AM

Hey Ralph

It's excellent to hear that you are pleased with the performance of the computer. The fact that your system got so infected in the first place shows me that you are lacking slightly in protection. Follow this list and your potential for being infected again will reduce dramatically.

Now that you are clean, lets reset your system restore points please follow these simple steps in order
  • Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Clickthe System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
Restart your computer
  • Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Un-Check Turn off System Restore.
  • Click Apply, and then click OK.

Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs: hide
    Click here for more information on -> Computer Safety On line - Anti-Virus

    I would recommend Grisofts© AVG or AVAST©. As these are the more secure and better ones.
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
    Click here for more information on -> Computer Safety On line - Software Firewalls
    I would recommend ZoneAlarm© as a firewall as it's easy to use. But for a more secure firewall, Sunbelts Kerio© is the one.
  • Visit Microsoft's Windows Update Site Frequently It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly
  • Install Spybot© - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  • Install Lavasofts© Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here: Click here for more info -->Instructions for - Spybot S & D and Ad-aware
  • Install Javacools© SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here: Click here for more info -->Computer Safety on line - Anti-Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If you have any addition questions just ask...
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users