Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Explorer.exe


  • This topic is locked This topic is locked
4 replies to this topic

#1 obhomey

obhomey

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 03 May 2006 - 06:03 PM

Hello all
I could really use some help. The download speeds are way slow, like 30kb. I have a cable connection and had the cable company checked my connection and they said that it is performing at the maximum capacity. I am running Windows XP and IE6. I have run all the recommended spyware and virus programs with no relief. I have a program called "Process Library" and when I check the processes that are running I find a process called: explorer.exe. The process library warns that this is a trojan called: trojan.w32.mydoom & trojan.w32.ZAPCHAST Here is the description:

explorer.exe is a process which is registered as a trojan. This Trojan allows attackers to access your computer from remote locations, stealing passwords, Internet banking and personal data. It is a registered security risk and should be removed immediately.

When I end this process I lose my desktop and start menu. Any help solving this problem would sincerely be appreciated.

Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 8:25:58 PM, on 5/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\ntvdm.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
I:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
I:\Program Files\Analog Devices\SoundMAX\Smax4.exe
I:\Program Files\QuickTime\qttask.exe
I:\Program Files\Microsoft Hardware\Mouse\point32.exe
I:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
I:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
I:\Program Files\Microsoft AntiSpyware\gcasServ.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\BroadJump\Client Foundation\CFD.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
I:\Program Files\Messenger\msmsgs.exe
I:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
I:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
I:\OPLIMIT\ocrawr32.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
I:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
I:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
I:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
I:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
I:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
I:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
I:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
I:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
I:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
I:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
I:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
I:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe
I:\Program Files\OpenOffice.org 2.0\program\soffice.exe
I:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
I:\VSTASCAN\VSACCESS.EXE
I:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
I:\Program Files\YCIII\YankClip.exe
I:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
I:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=I:\OPLIMIT\ocraware.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - I:\Program Files\Aladdin Systems\Internet Cleanup\IC3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - I:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - I:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - I:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - I:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - I:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] I:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] I:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] I:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "I:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] I:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [POINTER] I:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] I:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "I:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "I:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "I:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [gcasServ] "I:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [fontnav] "I:\Program Files\Corel\WordPerfect Office 2000\Font Navigator\FontNav.exe" *1
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] I:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AVG7_EMC] I:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] I:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "I:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [RoboForm] "I:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Camio Viewer.lnk = I:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Startup: IC Task Manager.lnk = I:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe
O4 - Startup: OpenOffice.org 2.0.lnk = I:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: UMAX VistaAccess.lnk = I:\VSTASCAN\VSACCESS.EXE
O4 - Startup: Yankee Clipper III.lnk = I:\Program Files\YCIII\YankClip.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = I:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = I:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = I:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://I:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://I:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Clear Fields - file://I:\Program Files\Siber Systems\AI RoboForm\RoboFormComClearFields.html
O8 - Extra context menu item: Customize Menu - file://I:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://I:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://I:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://I:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143304184890
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.255.49.249/activex/AxisCamControl.cab
O23 - Service: Ati HotKey Poller - Unknown owner - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - I:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CleanService - Unknown owner - I:\PROGRA~1\STOMPS~1\PRIVAC~1\CleanService.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - I:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: icservice - Aladdin Systems, Inc. - I:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - I:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - I:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - I:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - I:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - I:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - I:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - I:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - I:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Thanks in advance, OBHomey :thumbsup:)

BC AdBot (Login to Remove)

 


m

#2 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 07 May 2006 - 02:50 PM

Hello and welcome to to the forum. Malware can show up in most files, but in your case read this:
http://www.google.com/search?hl=en&lr=&rls...nition&ct=title
and this: http://www.liutilities.com/products/wintas...brary/explorer/ The key I look for is this:
Note: The Explorer.exe file is located in the c:\windows\ folder. In other cases, Explorer.exe is a virus, spyware, trojan or worm! Now while yours is not in C:\ but rather I:\WINDOWS\Explorer.EXE
It is a safe and very important part of the Windows operation.
Did you run some program that gave you this information??

While I see some adware that should go, and a service I am not sure of, the major problem I see in this log is the fact that two antivurus programs are running at the same time. See what Symantec says about that:
http://service1.symantec.com/SUPPORT/nav.n...000031316555206 and Microsoft:
"Microsoft recommends that you have only one anti-virus program installed on your computer."

The service I wish to know is valid is:
O23 - Service: CleanService - Unknown owner - I:\PROGRA~1\STOMPS~1\PRIVAC~1\CleanService.exe

Uninstall one of those programs then update and run a complete system scan with the one you kept. If anything is located that can not be deleted, post that information for me. The exact name and pathway, please.

Once this is done, post a new HJT log and I'll remove the adware and anything else I see. Stay in this same topic, I will be notified when you post and respond as soon as possible after that.

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#3 obhomey

obhomey
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:42 PM

Posted 08 May 2006 - 11:02 AM

Hello pskelly

Thank you for your reply to my post. I have uninstalled the AVG anti-virus and tried to download a file with no improvement in dowload speed. The process that your where unsure of was a program that I purchased called "Privacy Protector" made by Stomp Soft. It is a legit program. The reason that the processes are showing in the "I" drive is because that is the drive letter for my hard drive. Anyway here's the new HJT scan:
Thanks again in advance for your help.

Logfile of HijackThis v1.99.1
Scan saved at 8:58:25 AM, on 5/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
I:\WINDOWS\System32\smss.exe
I:\WINDOWS\system32\winlogon.exe
I:\WINDOWS\system32\services.exe
I:\WINDOWS\system32\lsass.exe
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Windows Defender\MsMpEng.exe
I:\WINDOWS\System32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
I:\WINDOWS\system32\spoolsv.exe
I:\WINDOWS\Explorer.EXE
I:\WINDOWS\system32\ntvdm.exe
I:\Program Files\Common Files\Real\Update_OB\realsched.exe
I:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
I:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
I:\Program Files\Analog Devices\SoundMAX\Smax4.exe
I:\Program Files\QuickTime\qttask.exe
I:\Program Files\Microsoft Hardware\Mouse\point32.exe
I:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe
I:\Program Files\iTunes\iTunesHelper.exe
I:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
I:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
I:\Program Files\Common Files\Symantec Shared\ccApp.exe
I:\Program Files\BroadJump\Client Foundation\CFD.exe
I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
I:\Program Files\Windows Defender\MSASCui.exe
I:\Program Files\Messenger\msmsgs.exe
I:\OPLIMIT\ocrawr32.exe
I:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
I:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
I:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
I:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
I:\Program Files\SEC\Natural Color\NaturalColorLoad.exe
I:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
I:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
I:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe
I:\Program Files\OpenOffice.org 2.0\program\soffice.exe
I:\VSTASCAN\VSACCESS.EXE
I:\Program Files\OpenOffice.org 2.0\program\soffice.BIN
I:\Program Files\YCIII\YankClip.exe
I:\WINDOWS\system32\Ati2evxx.exe
I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
I:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
I:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
I:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
I:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
I:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
I:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
I:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
I:\WINDOWS\system32\svchost.exe
I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
I:\Program Files\iPod\bin\iPodService.exe
I:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\Program Files\Hijack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F3 - REG:win.ini: load=I:\OPLIMIT\ocraware.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - I:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ICHlprObj Class - {1f0c8547-2639-4c91-b8aa-c7eca24c3163} - I:\Program Files\Aladdin Systems\Internet Cleanup\IC3hlpr.dll
O2 - BHO: PopupFilter Class - {1F2E844B-8211-46ff-8262-772F03295CF4} - I:\Program Files\Aladdin Systems\Internet Cleanup\PopFiltr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - I:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - I:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - I:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - I:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - I:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "I:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] I:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] I:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] I:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "I:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "I:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PRONoMgr.exe] I:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [POINTER] I:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] I:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "I:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [iTunesHelper] "I:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IPInSightMonitor 01] "I:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [IPInSightLAN 01] "I:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [fontnav] "I:\Program Files\Corel\WordPerfect Office 2000\Font Navigator\FontNav.exe" *1
O4 - HKLM\..\Run: [ccApp] "I:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BJCFD] I:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] I:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Windows Defender] "I:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "I:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DW4] "I:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [RoboForm] "I:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - Startup: Camio Viewer.lnk = I:\Program Files\Sierra Imaging\Image Expert\IXApplet.exe
O4 - Startup: IC Task Manager.lnk = I:\Program Files\Aladdin Systems\Internet Cleanup\ONICTASK.exe
O4 - Startup: OpenOffice.org 2.0.lnk = I:\Program Files\OpenOffice.org 2.0\program\quickstart.exe
O4 - Startup: UMAX VistaAccess.lnk = I:\VSTASCAN\VSACCESS.EXE
O4 - Startup: Yankee Clipper III.lnk = I:\Program Files\YCIII\YankClip.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = I:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = I:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Corel Registration.lnk = I:\Program Files\Corel\WordPerfect Office 2000\Register\Remind32.exe
O4 - Global Startup: CorelCENTRAL Alarms.LNK = I:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NaturalColorLoad.lnk = ?
O4 - Global Startup: Norton GoBack.lnk = I:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar search - res://I:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &eBay Search - res://I:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Clear Fields - file://I:\Program Files\Siber Systems\AI RoboForm\RoboFormComClearFields.html
O8 - Extra context menu item: Customize Menu - file://I:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: Fill Forms - file://I:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://I:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://I:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1143304184890
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://216.255.49.249/activex/AxisCamControl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - I:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - I:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - I:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CleanService - Unknown owner - I:\PROGRA~1\STOMPS~1\PRIVAC~1\CleanService.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - I:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: icservice - Aladdin Systems, Inc. - I:\Program Files\Aladdin Systems\Internet Cleanup\icserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - I:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - I:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - I:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - I:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - I:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - I:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - I:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - I:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - I:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - I:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - I:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - I:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 08 May 2006 - 12:48 PM

Thanks for returning your information and the feedback. Before we clean and remove the adware and clutter I see, I want to point to this item:
I:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe see this:
http://castlecops.com/startuplist-1690.html
Is this your cable company? If so, I would be asking them about it.

1) ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

2) Windows Defender may block the HJT fix, you may want to turn it off until you are finished:
Open Windows Defender, Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
(if you do not want this restriction, you may check and remove it...your call)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
(you can remove this option if you do not want it)
O11 - Options group: [INTERNATIONAL] International*

(nothing there should effect download speeds)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

5) Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Post the ewido scan results and a new HJT log. Let me know if there have been any changes in performance.

(keep in mind ewido will slow you down during the trial, and Prefetch will cause a slight slowing until it gets repopulated)

I am going to suggest that you post here:
http://www.bleepingcomputer.com/forums/f/14/web-browsingemail-and-other-internet-applications/
Those folks are knowledgeable in that area and may be able to help.

Thanks...Phil

Edited by pskelley, 08 May 2006 - 12:51 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:10:42 PM

Posted 20 May 2006 - 03:25 PM

On May 8 2006, 01:48 PM I posted a request for:

Post the ewido scan results and a new HJT log. Let me know if there have been any changes in performance.


This post will be closed in 24 hours.

Thanks...pskelley
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users