Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Sending Packet Files Equal To Receiving


  • Please log in to reply
35 replies to this topic

#1 candy

candy

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington State
  • Local time:06:38 PM

Posted 28 April 2006 - 10:53 AM

Hopefully I'll use the correct terminology here: My IE, XP, is sending out packets almost as many as it is receiving. I have done: Norton Virus check, SpyBot and XoftSpy and some others. Last night I researched every entry on my Hijackthis Log and fixed about 8 of them. Some I'm still in question about. Anyway nothing has changed on the sent packets! Have copied below my new Hijackthis Log. Sure would appreciate some advice on this. Thanks a lot.......Candy

Logfile of HijackThis v1.99.0
Scan saved at 8:23:18 AM, on 4/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\WINNT\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\wdfmgr.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\System32\alg.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\Miscellaneous\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - {B7179AE3-3A70-8A67-4F58-BD312CFBAE24} - (no file)
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - :C:\WINNT\system32\lnrgb.dll

(file missing)
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common

Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton

AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program

Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] :"C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] :"C:\Program Files\Common Files\Roxio

Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dmchi.exe] C:\WINNT\system32\dmchi.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] :"C:\Program Files\Real\RealOne Player\realplay.exe"

/RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} -

C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: symsupportutil -

https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

http://a1540.g.akamai.net/7/1540/52/200305...win/QuickTimeIn

staller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) -

http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

http://a1540.g.akamai.net/7/1540/52/200404...n/QuickTimeInst

aller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) -

hcp://system/RunExeActiveX.CAB
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -

http://download.zonelabs.com/bin/promotion...canner37470.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) -

http://cs1b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) -

hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) -

http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) -

https://secure.stamps.com/download/us/cab/s...file=stamps.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) -

http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -

https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) -

http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program

Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GhostStartService - Symantec Corporation -

C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 - Unknown - LxrJD31s.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program

Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program

Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton

SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation -

C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -

C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. -

C:\WINNT\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 28 April 2006 - 05:33 PM

Hi candy and Welcome to the Bleeping Computer!

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Wait until Safe Mode to run Ewido.


Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://swandog46.geekstogo.com/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
  • Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
  • The fix will begin; follow the prompts.
  • You will be asked to reboot your computer; please restart in Safe Mode.
    http://service1.symantec.com/SUPPORT/tsg...src=sec_doc_nam
  • Your system may take longer than usual to load; this is normal.
  • Once the desktop loads Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

    R3 - URLSearchHook: (no name) - {B7179AE3-3A70-8A67-4F58-BD312CFBAE24} - (no file)
    O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - :C:\WINNT\system32\lnrgb.dll(file missing)

    O4 - HKLM\..\Run: [dmchi.exe] C:\WINNT\system32\dmchi.exe

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -


    Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button
Still in Safe Mode-> Open Ewido Security Suite and do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido security suite.


Now open the Control Panel-> In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems.


Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)


Restart Normal and have the PC Scanned here:
Panda Active Scan

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from Ewido and Panda

#3 candy

candy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington State

Posted 02 May 2006 - 02:52 PM

Thanks, Cretemonster, for the cleanup plan. I followed it all but areas to comment on were:

You said to fix five files in my Hijack Report, one file was not in the report that you named,
04 - HKLM\..\Run: [dmchi.exe] C:\WINNT\system32\dmchi.exe

Next: In Safe Mode my Network Connections wouldn't show but after rebooting I checked the Internet Protocol and it was set correctly.

Lastly: I did 'run' on ipconfig /flushdns and flushed the cache, but not in Safe Mode.

Below are my reports. Thanks so much.........Candy

Logfile of HijackThis v1.99.1
Scan saved at 12:45:39 PM, on 5/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\WINNT\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\Miscellaneous\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] :"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] :"C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - https://secure.stamps.com/download/us/cab/s...file=stamps.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:18:18 AM, 5/2/2006
+ Report-Checksum: D5A2E842

+ Scan result:

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-65afd8eb-7017dce3.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-2a880e3-13ba69b5.zip/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Error during cleaning
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5000a103-3ca25079.zip/Gummy.class -> Not-A-Virus.Exploit.ByteVerify : Error during cleaning
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1f2587dd-56ca5f65.zip/Dummy.class -> Trojan.NoCheat.240 : Error during cleaning
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5b6627a5.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Error during cleaning
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5b6627a5.zip/Matrix.class -> Downloader.OpenStream.c : Error during cleaning
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-32d30b87-5d737d5e.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Error during cleaning
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv428.jar-79d38894-7d6afd12.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Error during cleaning
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv539.jar-69ecf2f0-25c97ad8.zip/Dummy.class -> Not-A-Virus.Exploit.ByteVerify : Error during cleaning
C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@counter11.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@counter2.sextracker[1].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ehg-interlifeform.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@ehg-pcsecurityshield.hitbox[1].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@sextracker[2].txt -> TrackingCookie.Sextracker : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Owner\Cookies\owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\ms32.sys -> Downloader.Agent.tc : Cleaned with backup
C:\WINNT\system32\cbiuninstall.exe -> Dialer.Generic : Cleaned with backup
C:\WINNT\system32\csnoi.exe -> Downloader.Agent.uj : Cleaned with backup
C:\WINNT\system32\filesafer23.exe -> Hijacker.Small : Cleaned with backup


::Report End


Incident Status Location

Adware:adware/ideskbar Not disinfected c:\winnt\system32\drivers\zpmodemnt.sys
Adware:adware/comet Not disinfected c:\winnt\downloaded program files\dm.inf
Adware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Adware:adware/ist.istbar Not disinfected c:\program files\common files\Totem Shared
Adware:adware/sbsoft Not disinfected Windows Registry
Adware:adware/powerscan Not disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-2a880e3-13ba69b5.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5000a103-3ca25079.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1f2587dd-56ca5f65.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-21209945-3659f0c7.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5b6627a5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5b6627a5.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-32d30b87-5d737d5e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-32d30b87-5d737d5e.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv428.jar-79d38894-7d6afd12.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv539.jar-69ecf2f0-25c97ad8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv539.jar-69ecf2f0-25c97ad8.zip[Matrix.class]
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kinghost[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Distribution.dll.019
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Distribution.dll.022
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Music.dll.010
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Music.dll.011
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Windows.dll.044
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Windows.dll.046
Virus:Trj/DNSChanger.BD Disinfected C:\WINNT\system32\wvhim.exe

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Members
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the "Logic Free Zone", in Md, USA
  • Local time:06:38 PM

Posted 02 May 2006 - 03:55 PM

Candy,

Please keep all your reply posts in this thread by using the ADDREPLY button
that you'll see near bottom of page on the right side.

This ensures a timely response and prevents confusion.

regards,
KoanYorel
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 candy

candy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington State
  • Local time:09:38 PM

Posted 02 May 2006 - 05:52 PM

Candy,

Please keep all your reply posts in this thread by using the ADDREPLY button
that you'll see near bottom of page on the right side.

This ensures a timely response and prevents confusion.

regards,
KoanYorel




Sounds like the thing to do! Thanks KoanYorel, I'll figure the procedure out yet!........Candy :thumbsup:

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 02 May 2006 - 06:59 PM

Thanks Koan! :thumbsup:

No Problems Candy,lets continue the process,Im going to need to see the entire Panda Report in a reply allits own please.

After making that reply-> Let me see a HijackThis Start Up log.

Open HijackThis and Click the "Open Misc Tools Section" tab.

Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to copy the entire contents of that page to the next reply.

#7 candy

candy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington State
  • Local time:06:38 PM

Posted 03 May 2006 - 11:17 AM

Here's the Panda Scan, I think! No identification, but pretty sure this is it.......Candy


Incident Status Location

Adware:adware/ideskbar Not disinfected c:\winnt\system32\drivers\zpmodemnt.sys
Adware:adware/comet Not disinfected c:\winnt\downloaded program files\dm.inf
Adware:adware/cws Not disinfected c:\documents and settings\all users\favorites\Download Free Spyware Remover.url
Adware:adware/ist.istbar Not disinfected c:\program files\common files\Totem Shared
Adware:adware/sbsoft Not disinfected Windows Registry
Adware:adware/powerscan Not disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-2a880e3-13ba69b5.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5000a103-3ca25079.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1f2587dd-56ca5f65.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-21209945-3659f0c7.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5b6627a5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5b6627a5.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-32d30b87-5d737d5e.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-32d30b87-5d737d5e.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv428.jar-79d38894-7d6afd12.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv539.jar-69ecf2f0-25c97ad8.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv539.jar-69ecf2f0-25c97ad8.zip[Matrix.class]
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[1].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Owner\Cookies\owner@kinghost[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Distribution.dll.019
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Distribution.dll.022
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Music.dll.010
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Music.dll.011
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Windows.dll.044
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\Common Files\Totem Shared\Update\Windows.dll.046
Virus:Trj/DNSChanger.BD Disinfected C:\WINNT\system32\wvhim.exe

#8 candy

candy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington State

Posted 03 May 2006 - 11:21 AM

And here is the HijackThis start up list. Thanks again........Candy

StartupList report, 5/3/2006, 9:11:11 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Owner\Desktop\Miscellaneous\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\WINNT\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\OPScan.exe
C:\Documents and Settings\Owner\Desktop\Miscellaneous\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Owner\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
hpoddt01.exe.lnk = ?

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
NvCplDaemon = RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
HPDJ Taskbar Utility = C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
GWMDMMSG = GWMDMMSG.exe
nwiz = nwiz.exe /install
Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
RoxioEngineUtility = :"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
HP Software Update = C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
Zone Labs Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Weather = C:\Program Files\AWS\WeatherBug\Weather.exe 1
RealPlayer = :"C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{44BBA851-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\wpie4x86.inf,PerUserStub

[{4b218e3e-bc98-4770-93d3-2731b9329278}] *
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\system32\Rundll32.exe C:\WINNT\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=
SCRNSAVE.EXE=C:\WINNT\system32\MAGICW~1.SCR
drivers=

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - Owner.job
Norton SystemWorks One Button Checkup.job
XoftSpy.job

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[symsupportutil]
CODEBASE = https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
OSD = C:\WINNT\Downloaded Program Files\OSD4A.OSD

[{00000075-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/voxacm.CAB

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[PCPitstop Utility]
InProcServer32 = C:\WINNT\DOWNLO~1\PCPITS~1.DLL
CODEBASE = http://support.gateway.com/support/profiler/PCPitStop.CAB

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINNT\System32\mssecadv.dll
CODEBASE = http://download.microsoft.com/download/0/5...b?1067700069468

[{33363249-0000-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.microsoft.com/codecs/i386/i263_32.cab

[EPUImageControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\EPUWALcontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe

[RunExeActiveX.RunExe]
InProcServer32 = C:\WINNT\Downloaded Program Files\RunExeActiveX.ocx
CODEBASE = hcp://system/RunExeActiveX.CAB

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[CustomerCtrl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\customerclient.dll
CODEBASE = http://cs1b.instantservice.com/jars/customerxsigned33.cab

[StartFirstControl.CheckFirst]
InProcServer32 = C:\WINNT\Downloaded Program Files\StartFirstControl.ocx
CODEBASE = hcp://system/StartFirstControl.CAB

[compid Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\gwCID.dll
CODEBASE = http://support.gateway.com/support/serialharvest/gwCID.CAB

[ActiveScan Installer Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\asinst.dll
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab

[SDCInstaller Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\SDCInstall.dll
CODEBASE = https://secure.stamps.com/download/us/cab/s...file=stamps.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/1.3.1/...-131_02-win.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/autodl..._4_0_02-win.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[ActiveDataInfo Class]
InProcServer32 = C:\PROGRA~1\COMMON~1\SYMANT~1\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

[EPSImageControl Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\EPScontrol.dll
CODEBASE = http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\mswsock.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
NameSpace #3: C:\WINNT\System32\mswsock.dll
Protocol #1: C:\WINNT\system32\mswsock.dll
Protocol #2: C:\WINNT\system32\mswsock.dll
Protocol #3: C:\WINNT\system32\mswsock.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\mswsock.dll
Protocol #7: C:\WINNT\system32\mswsock.dll
Protocol #8: C:\WINNT\system32\mswsock.dll
Protocol #9: C:\WINNT\system32\mswsock.dll
Protocol #10: C:\WINNT\system32\mswsock.dll
Protocol #11: C:\WINNT\system32\mswsock.dll
Protocol #12: C:\WINNT\system32\mswsock.dll
Protocol #13: C:\WINNT\system32\mswsock.dll
Protocol #14: C:\WINNT\system32\mswsock.dll
Protocol #15: C:\WINNT\system32\mswsock.dll
Protocol #16: C:\WINNT\system32\mswsock.dll
Protocol #17: C:\WINNT\system32\mswsock.dll
Protocol #18: C:\WINNT\system32\mswsock.dll
Protocol #19: C:\WINNT\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Intel® 82801 Audio Driver Install Service (WDM): system32\drivers\ac97intc.sys (manual start)
Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
adpu160m: System32\DRIVERS\adpu160m.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (system)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Automatic LiveUpdate Scheduler: "C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe" (autostart)
BCM V.90 56K Modem: System32\DRIVERS\BCMDM.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
CdaC15BA: \??\C:\WINNT\System32\drivers\CdaC15BA.SYS (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
COM+ System Application: C:\WINNT\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM Server Process Launcher: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
MS IEEE-1284.4 Driver: System32\DRIVERS\Dot4.sys (manual start)
Print Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Prt.sys (manual start)
Scan Class Driver for IEEE-1284.4: System32\DRIVERS\Dot4Scan.sys (manual start)
Dot4USB Filter Dot4USB Filter: System32\DRIVERS\dot4usb.sys (manual start)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Intel® PRO Adapter Driver: System32\DRIVERS\e100b325.sys (manual start)
3Com EtherLink XL 90XB/C Adapter Driver: System32\DRIVERS\el90xbc5.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GhostStartService: C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE (autostart)
GhostPciScanner: \??\C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
GTW V.92 Voice Modem: System32\DRIVERS\GWMDM.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
IEEE-1284.4 Driver HPZid412: System32\DRIVERS\HPZid412.sys (manual start)
Print Class Driver for IEEE-1284.4 HPZipr12: System32\DRIVERS\HPZipr12.sys (manual start)
USB to IEEE-1284.4 Translation Driver HPZius12: System32\DRIVERS\HPZius12.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
HTTP SSL: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINNT\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
Intel Processor Driver: System32\DRIVERS\intelppm.sys (system)
IPv6 Windows Firewall Driver: system32\drivers\ip6fw.sys (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
iscFlash: \??\C:\WINNT\SYSTEM32\DRIVERS\iscflash.sys (manual start)
JL2005A Toy Camera: System32\Drivers\toywdm.sys (manual start)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
L2XPSR: \??\C:\PROGRA~1\EFFICI~1\TANGOM~1\app\L2XPSR.SYS (manual start)
Logitech PS/2 Mouse Filter Driver: system32\DRIVERS\L8042pr2.Sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logitech HID/USB Mouse Filter Driver: system32\DRIVERS\LHidFlt2.Sys (manual start)
Logitech USB Receiver device driver: System32\Drivers\LHidUsb.Sys (manual start)
LiveUpdate: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech Mouse Class Filter Driver: system32\DRIVERS\LMouFlt2.Sys (manual start)
LxrJD31d: \??\C:\WINNT\system32\Drivers\LxrJD31d.sys (autostart)
Lexar JD31: LxrJD31s.exe (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Unimodem Streaming Filter Device: system32\drivers\MODEMCSA.sys (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\system32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft System Management BIOS Driver: System32\DRIVERS\mssmbios.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: system32\DRIVERS\NABTSFEC.sys (manual start)
Norton AntiVirus Auto-Protect Service: "C:\Program Files\Norton AntiVirus\navapsvc.exe" (autostart)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060426.019\NAVENG.Sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060426.019\NavEx15.Sys (manual start)
Microsoft TV/Video Connection: system32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (disabled)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Norton Unerase Protection Driver: \??\C:\WINNT\System32\Drivers\NPDRIVER.SYS (manual start)
Norton AntiVirus Firewall Monitor Service: "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" (autostart)
Norton Unerase Protection: "C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" (autostart)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
nv4: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
OLYMPUS Digital Camera: System32\Drivers\olcamudp.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
Pcdr Helper Driver: \??\C:\Atf\Qctest\PCDoc\PCDRDRV.sys (manual start)
PcdrNt: \SystemRoot\System32\drivers\PcdrNt.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
PADUS ASPI SHELL: system32\drivers\pfc.sys (manual start)
PictureTaker: c:\fixit\pt\PCTKRNT.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Pml Driver HPZ12: C:\WINNT\System32\HPZipm12.exe (manual start)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINNT\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
SAVRT: \??\C:\Program Files\Norton AntiVirus\SAVRT.SYS (manual start)
SAVRTPEL: \??\C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS (system)
SAVScan: "C:\Program Files\Norton AntiVirus\SAVScan.exe" (manual start)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Windows Firewall/Internet Connection Sharing (ICS): %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PS/2 Keyboard Filter Driver for Win2000: System32\DRIVERS\Sk99202k.sys (manual start)
PS/2 Keyboard Filter Driver for NT 4.0: System32\DRIVERS\Sk9920nt.sys (system)
BDA Slip De-Framer: system32\DRIVERS\SLIP.sys (manual start)
smwdm: system32\drivers\smwdm.sys (manual start)
Symantec Network Drivers Service: "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (autostart)
SPBBCDrv: \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys (system)
Symantec SPBBCSvc: "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (autostart)
Speed Disk service: C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe (autostart)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: system32\DRIVERS\StreamIP.sys (manual start)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINNT\System32\dllhost.exe /Processid:{1CC14034-ABF5-4E23-BDE4-0728F516DD93} (manual start)
Symantec Core LC: C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (autostart)
SYMDNS: \SystemRoot\System32\Drivers\SYMDNS.SYS (manual start)
SymEvent: \??\C:\Program Files\Symantec\SYMEVENT.SYS (manual start)
SYMFW: \SystemRoot\System32\Drivers\SYMFW.SYS (manual start)
SYMIDS: \SystemRoot\System32\Drivers\SYMIDS.SYS (manual start)
SYMIDSCO: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\IDS-DI~1\20060410.080\symidsco.sys (manual start)
symlcbrd: \??\C:\WINNT\system32\drivers\symlcbrd.sys (autostart)
SYMNDIS: \SystemRoot\System32\Drivers\SYMNDIS.SYS (manual start)
SYMREDRV: \SystemRoot\System32\Drivers\SYMREDRV.SYS (manual start)
SYMTDI: \SystemRoot\System32\Drivers\SYMTDI.SYS (system)
SymWMI Service: C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe (autostart)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
ultra: System32\DRIVERS\ultra.sys (system)
Windows User Mode Driver Framework: C:\WINNT\system32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
VGA Display Controller.: \SystemRoot\System32\drivers\vga.sys (system)
ViaIde: System32\DRIVERS\viaide.sys (system)
vsdatant: \??\C:\WINNT\system32\vsdatant.sys (autostart)
TrueVector Internet Monitor: C:\WINNT\system32\ZoneLabs\vsmon.exe -service (autostart)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
WMDM PMSP Service: C:\WINNT\System32\MsPMSPSv.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINNT\System32\wbem\wmiapsrv.exe (manual start)
Security Center: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: system32\DRIVERS\WSTCODEC.SYS (manual start)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Network Provisioning Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINNT\system32\SHELL32.dll
CDBurn: C:\WINNT\system32\SHELL32.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: C:\WINNT\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 41,762 bytes
Report generated in 0.282 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 03 May 2006 - 06:47 PM

Please go to Safe Mode ad be sure Windows is Showing Hidden Files.
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Locate and Delete the following

c:\winnt\system32\drivers\zpmodemnt.sys<-- File

c:\winnt\downloaded program files\dm.inf<-- File

c:\documents and settings\all users\favorites\Download Free Spyware Remover.url<-- File

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv539.jar-69ecf2f0-25c97ad8.zip<-- Folder

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv428.jar-79d38894-7d6afd12.zip<-- Folder

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv420.jar-32d30b87-5d737d5e.zip<-- Folder

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-311e32e8-5b6627a5.zip<-- Folder

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-21209945-3659f0c7.zip<-- Folder

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-1f2587dd-56ca5f65.zip<-- Folder

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-5000a103-3ca25079.zip<-- Folder

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-2a880e3-13ba69b5.zip<-- Folder

C:\Program Files\Common Files\Totem Shared<-- Folder


Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


#10 candy

candy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington State
  • Local time:06:38 PM

Posted 04 May 2006 - 06:02 PM

The only file I could not find to delete: dm.inf.
Otherwise below is the Kaspersky scan minus the many quarantinted files in Norton. Thanks!..Candy

KASPERSKY ON-LINE SCANNER REPORT
Thursday, May 04, 2006 3:40:12 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 4/05/2006
Kaspersky Anti-Virus database records: 180090


Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 97115
Number of viruses found 50
Number of infected objects 849
Number of suspicious objects 14
Duration of the scan process 01:20:44

C:\RECYCLER\NPROTECT\01223353.exe Infected: Trojan.Win32.DNSChanger.as skipped

C:\RECYCLER\S-1-5-21-1599196801-2106517767-3757435101-1003\Dc47.zip/binny/binny.class Infected: Trojan-Dropper.Java.Beyond.d skipped

C:\RECYCLER\S-1-5-21-1599196801-2106517767-3757435101-1003\Dc47.zip ZIP: infected - 1 skipped

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 May 2006 - 05:38 AM

Sorry for the delay,hadda take care of some home buisness.


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacoolsoftware.com/downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm

Disable System Restore
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup

Go ahead and remove any of the tools downloaded that are of no use anymore

Post back and let me know how things are?

#12 candy

candy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington State
  • Local time:06:38 PM

Posted 07 May 2006 - 10:51 AM

Welllllllllll, really nothing has changed! :thumbsup: Last night things were running a little faster and the send packets were about 1000 less than the received packets and they have in the past been about even. So do you have any more suggestions from here? Thanks for all your efforts.........Candy

#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 May 2006 - 06:21 PM

Lets get the Recycle Bin fixed up first.

Copy & paste the text in bold below into notepad and save it as recyclerem.bat
(Set filetype to "All Files")


attrib -r -s -h %systemdrive%\Recycler
del %systemdrive%\Recycler
attrib -r -s -h %systemdrive%\Recycled
del %systemdrive%\Recycled
shutdown /r /t 0 /f


Close all programs and doubleclick recyclerem.bat

Your computer will reboot and you will have a shiny new (empty) recycle bin.


Once Restarted,please post another HijackThis StartUp log.

#14 candy

candy
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington State

Posted 08 May 2006 - 07:19 PM

Okay, here's the latest 'HijackThis' Log. Thanks!......Candy

Logfile of HijackThis v1.99.1
Scan saved at 5:12:02 PM, on 5/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
C:\WINNT\system32\LxrJD31s.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\MsPMSPSv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Documents and Settings\Owner\Desktop\Miscellaneous\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - C:\Program Files\Common Files\Paltalk\PaltalkWebLogin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RoxioEngineUtility] :"C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [RealPlayer] :"C:\Program Files\Real\RealOne Player\realplay.exe" /RunUPGToolCommandReBoot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200404...meInstaller.exe
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs1b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE5431D2-0F30-11D4-89D9-00C04F509C0A} (SDCInstaller Class) - https://secure.stamps.com/download/us/cab/s...file=stamps.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedCon...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\GHOSTS~2.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 11 May 2006 - 05:33 PM

Again,my apologies for the delays.

It appears you have 2 firewalls installed?

2 firewalls is definatly 1 too many.

I also see Ewido and alot of autorun entries in HijackThis that will seriously bogg down a computer.


Are you familiar with the use of Msconfig?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users