Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus Help


  • This topic is locked This topic is locked
14 replies to this topic

#1 blinkadict81

blinkadict81

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 22 June 2006 - 10:30 PM

my computer keeps saying i have a virus but my virus scanners pick up nothing

here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:27:37 PM, on 6/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Babya Software Group\Babya Logic Pro\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bDBVaeOt] C:\WINDOWS\nopvc.exe
O4 - HKLM\..\Run: [bDBVh$v/fC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nopvc.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qamxvf.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Jbtzvb.exe
O4 - HKLM\..\Run: [WinNite] C:\WINDOWS\NITEAIM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [wFsT3sj] davbvm50.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ho33RiH2O] ctliext.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c0\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


any help would be greatly appriciated!

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:42 PM

Posted 23 June 2006 - 06:24 AM

Welcome aboard.. :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
  • IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post back with the Ewido results. :flowers:

Hi there, stranger!

#3 blinkadict81

blinkadict81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 23 June 2006 - 03:41 PM

ok i did what you said and here are the results:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:30:55 PM 6/23/2006

+ Scan result:



C:\Documents and Settings\T-BoNe\Local Settings\Temp\Del39F.tmp -> Adware.180Solutions : Cleaned with backup (quarantined).
HKLM\SOFTWARE\AutoLoader -> Adware.Apropos : Cleaned with backup (quarantined).
HKLM\SOFTWARE\AutoLoader\ws3Z1YWWVQXd -> Adware.Apropos : Cleaned with backup (quarantined).
HKLM\SOFTWARE\AutoLoader\ws3v1YWWVQXd -> Adware.Apropos : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDH -> Adware.DealHelper : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{736B5468-BDAD-41BE-92D0-22AE2DDF7BCB} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objecta\{4da4616d-7e6e-4fd9-a2d5-b6c535733e22} -> Adware.Generic : Cleaned with backup (quarantined).
C:\My Downloads\My Documents\backups\backup-20050714-224641-710.dll -> Adware.HotSearchBar : Cleaned with backup (quarantined).
C:\WINDOWS\pxckdlauninstall.exe -> Adware.NoName : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\WINDOWS\system32\srcamon.exe -> Downloader.Agent.ed : Cleaned with backup (quarantined).
C:\WINDOWS\system32\stoui0.exe -> Downloader.Apropo.ac : Cleaned with backup (quarantined).
C:\My Downloads\My Documents\backups\backup-20050617-104245-555.dll -> Downloader.Apropo.ad : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> Downloader.IstBar.fa : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\iinstall.exe -> Downloader.IstBar.ir : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\A9AnxB.exe -> Downloader.IstBar.jl : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\Pp5ACq.exe -> Downloader.IstBar.jl : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\ZP36Ru.exe -> Downloader.IstBar.jl : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\civF9W.exe -> Downloader.IstBar.jl : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\e2djQh.exe -> Downloader.IstBar.jl : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\sdDEt4.exe -> Downloader.IstBar.jl : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\01hDfq.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\0C1DSJ.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\5HhCAn.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\6XjbQe.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\7ACPwN.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\8tJbGA.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\9WB73l.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\9XOcNb.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\9fhTO7.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\ERPPYS.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\Ewqw4d.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\F9sfIh.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\FdgnmI.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\FmfxtE.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\FsLpPg.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\Ft9QEF.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\O1QDtb.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\QjPYay.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\WrdCuA.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\d65AJj.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\dcjdfd.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\kdkSbx.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\lIFXva.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\qul2cF.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\w4R1kK.exe -> Downloader.IstBar.ka : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-583907252-1214440339-725345543-1003\Dc590.exe -> Downloader.Zlob.un : Cleaned with backup (quarantined).
C:\WINDOWS\system32\simpole.tlb -> Downloader.Zlob.ut : Cleaned with backup (quarantined).
C:\My Downloads\My Documents\backups\backup-20050628-004205-282.dll -> Not-A-Virus.VirTool.Win32.Collector : Cleaned with backup (quarantined).
C:\Documents and Settings\T-BoNe\Local Settings\Temp\nhikinma.exe -> Trojan.Dialer.ay : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\nafkbpma.exe -> Trojan.Dialer.ay : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024 -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldA1DD.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\1024\ldFC0E.tmp -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\atmclk.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dfrgsrv.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ginuerep.dll -> Trojan.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\interf.tlb -> Trojan.Small : Cleaned with backup (quarantined).


::Report end

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:42 PM

Posted 23 June 2006 - 08:27 PM

And an fresh HijackThis log please.. :thumbsup:
Hi there, stranger!

#5 blinkadict81

blinkadict81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 24 June 2006 - 11:47 AM

sorry, heres the hijackthis log :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 12:44:41 PM, on 6/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Babya Software Group\Babya Logic Pro\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bDBVaeOt] C:\WINDOWS\nopvc.exe
O4 - HKLM\..\Run: [bDBVh$v/fC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nopvc.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Qamxvf.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Jbtzvb.exe
O4 - HKLM\..\Run: [WinNite] C:\WINDOWS\NITEAIM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [wFsT3sj] davbvm50.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ho33RiH2O] ctliext.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c0\aim.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:42 PM

Posted 24 June 2006 - 01:35 PM

Ok.. Go ahead and uninstall Ewido if you want :thumbsup:

Then please uninstall this entry through Add/Remove programs if present:

180solutions

Lets run another trial scanner:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click Download Now to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply. :flowers:

Hi there, stranger!

#7 blinkadict81

blinkadict81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 24 June 2006 - 10:18 PM

alright heres there spy sweeper log:


********
9:54 PM: | Start of Session, Saturday, June 24, 2006 |
9:54 PM: Spy Sweeper started
9:54 PM: Sweep initiated using definitions version 706
9:55 PM: Starting Memory Sweep
10:03 PM: Memory Sweep Complete, Elapsed Time: 00:08:20
10:03 PM: Starting Registry Sweep
10:03 PM: Found Adware: antivirus gold components
10:03 PM: HKCR\appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}\ (1 subtraces) (ID = 103594)
10:03 PM: HKLM\software\classes\appid\{70f17c8c-1744-41b6-9d07-575db448dcc5}\ (1 subtraces) (ID = 103633)
10:03 PM: Found Adware: apropos
10:03 PM: HKCR\clsid\{b5ab638f-d76c-415b-a8f2-f3ceac502212}\ (7 subtraces) (ID = 103726)
10:03 PM: HKCR\clsid\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (4 subtraces) (ID = 103729)
10:03 PM: HKLM\software\aprps\ (8 subtraces) (ID = 103741)
10:03 PM: HKLM\software\classes\clsid\{b5ab638f-d76c-415b-a8f2-f3ceac502212}\ (7 subtraces) (ID = 103764)
10:03 PM: HKLM\software\classes\clsid\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (4 subtraces) (ID = 103767)
10:03 PM: HKLM\software\classes\interface\{b99a727f-0782-4a71-bcc2-6e1e66414904}\ (5 subtraces) (ID = 103772)
10:03 PM: HKLM\software\classes\interface\{b548b7d8-3d03-4aed-a6a1-4251fad00c10}\ (5 subtraces) (ID = 103773)
10:03 PM: HKLM\software\classes\interface\{bc333116-6ea1-40a1-9d07-ecb192db8cea}\ (5 subtraces) (ID = 103774)
10:03 PM: Found Adware: dealhelper
10:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || secure (ID = 124798)
10:03 PM: Found Adware: keyhost hijacker - jraun
10:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || version (ID = 124800)
10:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || version (ID = 124800)
10:03 PM: Found Adware: 180search assistant/zango
10:03 PM: HKLM\software\microsoft\windows\currentversion\run\ || sais (ID = 135727)
10:03 PM: Found Adware: relatedlinks bho
10:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\relatedlinks\ (2 subtraces) (ID = 139388)
10:03 PM: Found Trojan Horse: fu rootkit components
10:03 PM: HKLM\system\currentcontrolset\services\msdirectx\ (7 subtraces) (ID = 144200)
10:03 PM: Found Adware: ist yoursitebar
10:03 PM: HKCR\clsid\{86227d9c-0efe-4f8a-aa55-30386a3f5686}\ (2 subtraces) (ID = 147831)
10:03 PM: HKCR\interface\{90ce74cc-788a-4a00-b38d-cbca08cc9e8f}\ (8 subtraces) (ID = 147833)
10:03 PM: HKLM\software\classes\clsid\{86227d9c-0efe-4f8a-aa55-30386a3f5686}\ (2 subtraces) (ID = 147837)
10:03 PM: HKLM\software\classes\interface\{90ce74cc-788a-4a00-b38d-cbca08cc9e8f}\ (8 subtraces) (ID = 147839)
10:03 PM: HKLM\software\classes\typelib\{cc257918-f435-4a33-8231-2b8195990cca}\ (9 subtraces) (ID = 147843)
10:03 PM: Found Adware: ist software
10:03 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/ysbactivex.dll\ (2 subtraces) (ID = 147854)
10:03 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ysbactivex.dll (ID = 147857)
10:03 PM: HKCR\typelib\{cc257918-f435-4a33-8231-2b8195990cca}\ (9 subtraces) (ID = 147862)
10:03 PM: Found Adware: zippy-lookup
10:03 PM: HKCR\clsid\{ad913968-9823-434b-9701-f172dca7388f}\ (11 subtraces) (ID = 147997)
10:03 PM: HKCR\clsid\{c1849f93-2bd2-4e07-8b4f-768570d52634}\ (11 subtraces) (ID = 147998)
10:03 PM: HKCR\clsid\{fee41eed-1da6-46c9-8ec6-f0be1b7157dc}\ (22 subtraces) (ID = 147999)
10:03 PM: HKLM\software\classes\clsid\{ad913968-9823-434b-9701-f172dca7388f}\ (11 subtraces) (ID = 148001)
10:03 PM: HKLM\software\classes\clsid\{c1849f93-2bd2-4e07-8b4f-768570d52634}\ (11 subtraces) (ID = 148002)
10:03 PM: HKLM\software\classes\clsid\{fee41eed-1da6-46c9-8ec6-f0be1b7157dc}\ (22 subtraces) (ID = 148003)
10:03 PM: HKLM\software\classes\typelib\{1376f359-8d91-4a0b-89a0-59439a59c342}\ (9 subtraces) (ID = 148004)
10:03 PM: HKLM\software\classes\zippy.amo.1\ (3 subtraces) (ID = 148005)
10:03 PM: HKLM\software\classes\zippy.amo\ (5 subtraces) (ID = 148006)
10:03 PM: HKLM\software\classes\zippy.iiittt.1\ (3 subtraces) (ID = 148007)
10:03 PM: HKLM\software\classes\zippy.iiittt\ (5 subtraces) (ID = 148008)
10:03 PM: HKLM\software\classes\zippy.momo.1\ (3 subtraces) (ID = 148009)
10:03 PM: HKLM\software\classes\zippy.momo\ (5 subtraces) (ID = 148010)
10:03 PM: HKLM\software\classes\zippy.ohb.1\ (3 subtraces) (ID = 148011)
10:03 PM: HKLM\software\classes\zippy.ohb\ (5 subtraces) (ID = 148012)
10:03 PM: HKCR\typelib\{1376f359-8d91-4a0b-89a0-59439a59c342}\ (9 subtraces) (ID = 148014)
10:03 PM: HKCR\zippy.amo.1\ (3 subtraces) (ID = 148015)
10:03 PM: HKCR\zippy.amo\ (5 subtraces) (ID = 148016)
10:03 PM: HKCR\zippy.iiittt\ (5 subtraces) (ID = 148017)
10:03 PM: HKCR\zippy.momo.1\ (3 subtraces) (ID = 148018)
10:03 PM: HKCR\zippy.momo\ (5 subtraces) (ID = 148019)
10:03 PM: HKCR\zippy.ohb.1\ (3 subtraces) (ID = 148020)
10:03 PM: HKCR\zippy.ohb\ (5 subtraces) (ID = 148021)
10:03 PM: Found Adware: security2k hijacker
10:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (2 subtraces) (ID = 735573)
10:03 PM: Found Adware: spyfalcon
10:03 PM: HKCR\clsid\{330a77c2-c15a-43b5-055c-b4e35eaed279}\ (29 subtraces) (ID = 1150214)
10:03 PM: HKLM\software\classes\clsid\{330a77c2-c15a-43b5-055c-b4e35eaed279}\ (29 subtraces) (ID = 1150256)
10:03 PM: Found Trojan Horse: trojan-downloader-zlob
10:03 PM: HKCR\emediacodec.chl\ (2 subtraces) (ID = 1159199)
10:03 PM: HKLM\software\classes\emediacodec.chl\ (2 subtraces) (ID = 1159202)
10:03 PM: HKLM\software\microsoft\windows\currentversion\app paths\ecodec.exe\ (1 subtraces) (ID = 1159208)
10:03 PM: HKLM\software\microsoft\windows\currentversion\uninstall\emedia codec\ (6 subtraces) (ID = 1159210)
10:03 PM: Found Adware: spyware quake
10:03 PM: HKCR\clsid\{5b55c4e3-c179-ba0b-b4fd-f2db862d6202}\ (19 subtraces) (ID = 1218826)
10:03 PM: HKLM\software\classes\clsid\{5b55c4e3-c179-ba0b-b4fd-f2db862d6202}\ (19 subtraces) (ID = 1218857)
10:03 PM: HKCR\media-codec.chl\ (2 subtraces) (ID = 1247790)
10:03 PM: HKLM\software\classes\media-codec.chl\ (2 subtraces) (ID = 1247793)
10:03 PM: Found Adware: popuper
10:03 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\{686a161d-5bd1-4999-8832-6393f41e564c}\ (1 subtraces) (ID = 1505707)
10:03 PM: HKCR\typelib\{9163b40f-fed6-4b74-a4b2-b73b24e8b0e6}\ (9 subtraces) (ID = 1516833)
10:03 PM: HKLM\software\classes\typelib\{9163b40f-fed6-4b74-a4b2-b73b24e8b0e6}\ (9 subtraces) (ID = 1516866)
10:03 PM: HKU\S-1-5-21-583907252-1214440339-725345543-1003\software\aprps\ (7 subtraces) (ID = 103740)
10:03 PM: Found Adware: ist sidefind
10:03 PM: HKU\S-1-5-21-583907252-1214440339-725345543-1003\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:03 PM: HKU\S-1-5-21-583907252-1214440339-725345543-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {86227d9c-0efe-4f8a-aa55-30386a3f5686} (ID = 147853)
10:03 PM: HKU\S-1-5-21-583907252-1214440339-725345543-1003\software\_zippy\ (2407 subtraces) (ID = 646226)
10:03 PM: Found Adware: spywareno! components
10:03 PM: HKU\S-1-5-21-583907252-1214440339-725345543-1003\software\sno2\ (ID = 782236)
10:03 PM: Found Adware: security toolbar
10:03 PM: HKU\S-1-5-21-583907252-1214440339-725345543-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {736b5468-bdad-41be-92d0-22ae2ddf7bcb} (ID = 1070479)
10:03 PM: Registry Sweep Complete, Elapsed Time:00:00:18
10:03 PM: Starting Cookie Sweep
10:03 PM: Found Spy Cookie: yieldmanager cookie
10:03 PM: t-bone@ad.yieldmanager[1].txt (ID = 3751)
10:03 PM: Found Spy Cookie: tacoda cookie
10:03 PM: t-bone@anad.tacoda[1].txt (ID = 6445)
10:03 PM: Found Spy Cookie: atwola cookie
10:03 PM: t-bone@atwola[1].txt (ID = 2255)
10:03 PM: Found Spy Cookie: belnk cookie
10:03 PM: t-bone@belnk[1].txt (ID = 2292)
10:03 PM: Found Spy Cookie: casalemedia cookie
10:03 PM: t-bone@casalemedia[1].txt (ID = 2354)
10:03 PM: t-bone@dist.belnk[2].txt (ID = 2293)
10:03 PM: Found Spy Cookie: realmedia cookie
10:03 PM: t-bone@network.realmedia[1].txt (ID = 3236)
10:03 PM: t-bone@realmedia[1].txt (ID = 3235)
10:03 PM: t-bone@tacoda[1].txt (ID = 6444)
10:03 PM: Found Spy Cookie: zedo cookie
10:03 PM: t-bone@zedo[1].txt (ID = 3762)
10:03 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
10:03 PM: Starting File Sweep
10:03 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:04 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:04 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:04 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:04 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:04 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:05 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:05 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:05 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:05 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:05 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:05 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:06 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:06 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:06 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:06 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:06 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:06 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:07 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:07 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:07 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:07 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:07 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:08 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:08 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:08 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:08 PM: Warning: Failed to read from disk: Data error (cyclic redundancy check)
10:08 PM: Warning: Failed to read MFT entry 15857
10:08 PM: Found Adware: winad
10:08 PM: c:\program files\mediagateway (ID = -2147463340)
10:08 PM: c:\windows\system32\cache32_zippy (2 subtraces) (ID = -2147479977)
10:08 PM: c:\documents and settings\t-bone\local settings\temp\atf (ID = -2147481416)
10:10 PM: jbtzvbu3.xml (ID = 57652)
10:11 PM: eictwxu1.xml (ID = 57650)
10:11 PM: dattoyk2.xml (ID = 57648)
10:12 PM: eictwxk2.xml (ID = 57648)
10:15 PM: dattoyk1.xml (ID = 57647)
10:15 PM: jbtzvbk1.xml (ID = 57647)
10:18 PM: Warning: Failed to open file "c:\system volume information\_restore{49783a7e-6d48-4a26-bd29-24ba7e6705b2}\fifoed\change.log.1". Data error (cyclic redundancy check)
10:18 PM: jbtzvbk2.xml (ID = 57648)
10:19 PM: Found Adware: shopnavupdater
10:19 PM: a0068826.exe (ID = 146037)
10:20 PM: eictwxk1.xml (ID = 57647)
10:20 PM: spywarequake[1].htm (ID = 300119)
10:22 PM: jbtzvbu2.xml (ID = 57651)
10:22 PM: eictwxu.xml (ID = 57649)
10:22 PM: eictwxk.xml (ID = 57646)
10:23 PM: eictwxu2.xml (ID = 57651)
10:23 PM: jbtzvbk.xml (ID = 57646)
10:34 PM: dattoyk.xml (ID = 57646)
10:37 PM: dattoyu.xml (ID = 57649)
10:39 PM: jbtzvbu1.xml (ID = 57650)
10:40 PM: a0068824.exe (ID = 50017)
10:40 PM: a0068825.exe (ID = 50046)
10:49 PM: jbtzvbu.xml (ID = 57649)
10:49 PM: wxgrtyu.xml (ID = 57649)
10:49 PM: wxgrtyu1.xml (ID = 57650)
10:49 PM: wxgrtyu2.xml (ID = 57651)
10:49 PM: wxgrtyk.xml (ID = 57646)
10:50 PM: wxgrtyk1.xml (ID = 57647)
10:50 PM: wxgrtyk2.xml (ID = 57648)
10:56 PM: dattoyu1.xml (ID = 57650)
10:59 PM: dattoyu2.xml (ID = 57651)
11:00 PM: a0068524.exe (ID = 315742)
11:01 PM: lbbho.ini (ID = 73732)
11:02 PM: jbtzvbdk.xml (ID = 57645)
11:02 PM: dattoydk.xml (ID = 57645)
11:02 PM: wxgrtydk.xml (ID = 57645)
11:02 PM: eictwxdk.xml (ID = 57645)
11:02 PM: backup-20050628-004206-531.inf (ID = 91033)
11:02 PM: a0068523.bat (ID = 202688)
11:02 PM: Found Adware: members area dialer
11:02 PM: h91746.exe (ID = 239302)
11:02 PM: Found Adware: shopathomeselect
11:02 PM: bundlep_isearchtech1004.sah (ID = 75698)
11:02 PM: Warning: Unhandled Archive Type
11:02 PM: Warning: Unhandled Archive Type
11:02 PM: Warning: Unhandled Archive Type
11:02 PM: Warning: Unhandled Archive Type
11:02 PM: Warning: Unhandled Archive Type
11:03 PM: File Sweep Complete, Elapsed Time: 00:59:17
11:03 PM: Full Sweep has completed. Elapsed time 01:08:05
11:03 PM: Traces Found: 2930
11:12 PM: Removal process initiated
11:12 PM: Quarantining All Traces: 180search assistant/zango
11:12 PM: Quarantining All Traces: fu rootkit components
11:12 PM: Quarantining All Traces: ist yoursitebar
11:12 PM: Quarantining All Traces: popuper
11:12 PM: Quarantining All Traces: security2k hijacker
11:12 PM: Quarantining All Traces: trojan-downloader-zlob
11:12 PM: Quarantining All Traces: apropos
11:12 PM: Quarantining All Traces: shopathomeselect
11:12 PM: Quarantining All Traces: winad
11:12 PM: Quarantining All Traces: antivirus gold components
11:12 PM: Quarantining All Traces: dealhelper
11:13 PM: Quarantining All Traces: ist sidefind
11:13 PM: Quarantining All Traces: ist software
11:13 PM: Quarantining All Traces: keyhost hijacker - jraun
11:13 PM: Quarantining All Traces: members area dialer
11:13 PM: Quarantining All Traces: relatedlinks bho
11:13 PM: Quarantining All Traces: security toolbar
11:13 PM: Quarantining All Traces: shopnavupdater
11:13 PM: Quarantining All Traces: spyfalcon
11:13 PM: Quarantining All Traces: spyware quake
11:13 PM: Quarantining All Traces: spywareno! components
11:13 PM: Quarantining All Traces: zippy-lookup
11:13 PM: Quarantining All Traces: atwola cookie
11:13 PM: Quarantining All Traces: belnk cookie
11:13 PM: Quarantining All Traces: casalemedia cookie
11:13 PM: Quarantining All Traces: realmedia cookie
11:13 PM: Quarantining All Traces: tacoda cookie
11:13 PM: Quarantining All Traces: yieldmanager cookie
11:13 PM: Quarantining All Traces: zedo cookie
11:13 PM: Removal process completed. Elapsed time 00:00:58
********
9:53 PM: | Start of Session, Saturday, June 24, 2006 |
9:53 PM: Spy Sweeper started
9:53 PM: Your spyware definitions have been updated.
9:54 PM: | End of Session, Saturday, June 24, 2006 |


thanks :thumbsup:

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:42 PM

Posted 25 June 2006 - 06:46 AM

Go ahead and remove SpySweeper and Ewido if you wish.. :thumbsup:

Please post a fresh HijackThis log along with the following..

Download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply.

Hi there, stranger!

#9 blinkadict81

blinkadict81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 25 June 2006 - 09:16 AM

ok here are the 2 logs:



GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-25 10:10:56
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwCreateKey
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwCreateProcess
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwCreateProcessEx
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwDeleteKey
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwDeleteValueKey
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwRenameKey
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwSetInformationKey
SSDT \SystemRoot\system32\Drivers\SSI.SYS ZwSetValueKey
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP_POWER [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP_POWER [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP_POWER [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP_POWER [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [EB14220C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP_POWER [EB14220C] SSI.SYS
---- Processes - GMER 1.0.10 ----

Library C:\WINDOWS\system32\viwpzla.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [552] 0x00B80000 <-- ROOTKIT !!!

---- Registry - GMER 1.0.10 ----

Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg \Registry\MACHINE\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...

---- Files - GMER 1.0.10 ----

File C:\System Volume Information\MountPointManagerRemoteDatabase
File C:\System Volume Information\tracking.log
File C:\System Volume Information\_restore{49783A7E-6D48-4A26-BD29-24BA7E6705B2}
File E:\System Volume Information\MountPointManagerRemoteDatabase
File E:\System Volume Information\tracking.log
File E:\System Volume Information\_restore{49783A7E-6D48-4A26-BD29-24BA7E6705B2}

---- EOF - GMER 1.0.10 ----



--------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:11:52 AM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\AIM\AIM95_c0\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\AIM\AIM95_c1\aim.exe
C:\WINDOWS\system32\notepad.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Babya Software Group\Babya Logic Pro\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [bDBVaeOt] C:\WINDOWS\nopvc.exe
O4 - HKLM\..\Run: [bDBVh$v/fC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nopvc.exe
O4 - HKLM\..\Run: [WinNite] C:\WINDOWS\NITEAIM.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [wFsT3sj] davbvm50.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ho33RiH2O] ctliext.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\AIM95_c1\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:42 PM

Posted 25 June 2006 - 10:23 AM

Alright.. :thumbsup:

Download and run the following tool: http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Reboot once it has finished.

==

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Uninstall these entries through Add/Remove programs IF present:

Viewpoint
New.Net
ISTsvc


Please run a scan with HijackThis and check the following objects for removal if present:

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [bDBVaeOt] C:\WINDOWS\nopvc.exe
O4 - HKLM\..\Run: [bDBVh$v/fC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\nopvc.exe
O4 - HKLM\..\Run: [WinNite] C:\WINDOWS\NITEAIM.EXE
O4 - HKLM\..\Run: [wFsT3sj] davbvm50.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup -s
O4 - HKCU\..\Run: [ho33RiH2O] ctliext.exe


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Please reboot.

==

After reboot, navigate to and delete the following folders/files IF present:

C:\Program Files\Viewpoint
C:\WINDOWS\nopvc.exe
C:\Program Files\NewDotNet
C:\Program Files\ISTsvc
C:\WINDOWS\system32\viwpzla.dll
C:\WINDOWS\NITEAIM.EXE


==

And do an Windows File search for the following files and delete IF present:

davbvm50.exe
ctliext.exe


==

Clean out temporary files:
  • Click Start -> Run and type in: cleanmgr
  • Click "Ok".
  • Let it scan your system.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only ones checked.
  • Click "OK" to remove them.
  • Click "Yes" to confirm the deletion.
==

Post an fresh HijackThis log. :flowers:
Hi there, stranger!

#11 blinkadict81

blinkadict81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 25 June 2006 - 02:23 PM

Logfile of HijackThis v1.99.1
Scan saved at 3:20:40 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\Program Files\Babya Software Group\Babya Logic Pro\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.1.2.76.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {E991BDE0-9816-4094-853E-6BDB60F0342D} (Get_ActiveX Control) - http://apps.corel.com/nos_dl_manager/plugi...NetOpPlugin.ocx
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\system32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:42 PM

Posted 25 June 2006 - 03:01 PM

Rehide hidden files.

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Software icon > Add/Remove Programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
    • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
    • It will say "Java Plug-in" under the icon.
      Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
    • If you are unable to update you can manually update by going here:http://www.java.com/en/download/manual.jsp
  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
    Downloaded Applications
    Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
==

Hows the system running now? :thumbsup:
Hi there, stranger!

#13 blinkadict81

blinkadict81
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:12:42 PM

Posted 26 June 2006 - 12:35 PM

thank you very much for the help! the virus is gone and the computer seems to be back to normal. Really appriciate the fast responses and detailed walk-throughs.

Thanks again!

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:42 PM

Posted 26 June 2006 - 01:42 PM

Glad to be of help :thumbsup:

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:42 PM

Posted 27 June 2006 - 02:31 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users