Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud


  • This topic is locked This topic is locked
19 replies to this topic

#1 ebud

ebud

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:North Van
  • Local time:10:50 PM

Posted 29 November 2006 - 09:26 PM

I get a svchost window on start up...it just sit there. If I am plugged into the net IE get hijacked to various spyware removal suggestions...etc.

Used Spybot S&D and it located various things and removed them but the Smitfraud thing keep coming back


Here is my Hijack this log... suggestions please or do I need to do a re-build!

Logfile of HijackThis v1.99.1
Scan saved at 6:00:36 PM, on 11/29/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\MSN Toolbar Suite\SL\02.05.0001.1119\en-us\msn_sl.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Highjackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [szr_32.exe] szr_32.exe
O4 - HKCU\..\Run: [glqfb] C:\WINNT\system32\kwflao.exe reg_run
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/229?d6abd98e812146bdb2e8a8e03b731717
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-us\msntabres.dll/230?d6abd98e812146bdb2e8a8e03b731717
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Shaw Help - {2851F27F-AFC5-45A9-8ED3-D6587D65F348} - http://support.shaw.home.com (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.ca
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O23 - Service: ATIintergrated - Unknown owner - C:\WINNT\atigraphics.exe (file missing)
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe (file missing)
O23 - Service: Socks-Cap (Sc32Inch) - Unknown owner - C:\WINNT\Sc32Inch.exe (file missing)

BC AdBot (Login to Remove)

 


#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:50 AM

Posted 30 November 2006 - 04:07 AM

Download and run Silent Runners.vbs from HERE

It generates a log, please post the information back in this thread
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 ebud

ebud
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:North Van
  • Local time:10:50 PM

Posted 30 November 2006 - 11:22 AM

As requested....

"Silent Runners.vbs", revision 49, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"{5CE964A6-02B9-1033-0326-010907200001}" = ""C:\Program Files\Common Files\{5CE964A6-02B9-1033-0326-010907200001}\Update.exe" mc-110-12-0000272" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"IgfxTray" = "C:\WINNT\system32\igfxtray.exe" ["Intel Corporation"]
"HotKeysCmds" = "C:\WINNT\system32\hkcmd.exe" ["Intel Corporation"]
"NeroCheck" = "C:\WINNT\system32\\NeroCheck.exe" ["Ahead Software Gmbh"]
"shawnotify" = "c:\progra~1\shaw\update\updateloader.exe /notify" ["Shaw Cablesystems"]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"F-Secure Manager" = ""C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash" ["F-Secure Corporation"]
"F-Secure TNB" = ""C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW" ["F-Secure Corporation"]
"F-Secure Startup Wizard" = ""C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot" ["F-Secure Corporation"]
"News Service" = ""C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"" ["F-Secure Corporation"]
"EPSON Stylus CX4200 Series" = "C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"" ["SEIKO EPSON CORPORATION"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "AcroIEHlprObj Class"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{0E55CC01-8113-487B-92F2-98C24D98A57F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\ssqrstr.dll" [null data]
{1CF03232-4A32-BB98-6BAA-0389B1DDF7A5}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\nztnuok.dll" [null data]
{1DC2F1BE-9C2C-4BB9-22DE-065804D10C2B}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\lzkbekm.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{73364D99-1240-4dff-B12A-67E448373148}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\ipv6mons.dll" [null data]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{8F1049CD-3DA1-4305-83B7-C28488BC2DAA}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\xxwvs.dll" [null data]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Google Toolbar Helper"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar4.dll" ["Google Inc."]
{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MSN Search Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll" [MS]
{E148F3F8-2BBB-4CFE-B99B-DFB15A23DA7A}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\ComPlus Applications\mecor.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{13E7F612-F261-4391-BEA2-39DF4F3FA311}" = "Windows Desktop Search"
-> {HKLM...CLSID} = "Windows Desktop Search"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\EXT\02.05.0001.1119\en-us\msnlExt.dll" [MS]
"{97090E2F-3062-4459-855B-014F0D3CDBB1}" = "MSN Deskbar"
-> {HKLM...CLSID} = "MSN Search Deskbar"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\DB\02.05.0000.1082\en-us\deskbar.dll" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{0E55CC01-8113-487B-92F2-98C24D98A57F}" = "***Y**A****" (unwritable string)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINNT\system32\ssqrstr.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> rpcc\DLLName = "C:\WINNT\system32\rpcc.dll" [null data]
<<!>> rpccd\DLLName = "C:\WINNT\system32\rpccd.dll" [null data]
<<!>> ssqrstr\DLLName = "ssqrstr.dll" [null data]
<<!>> winyme32\DLLName = "winyme32.dll" [null data]
<<!>> xxwvs\DLLName = "C:\WINNT\system32\xxwvs.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
<<!>> text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Default executables:
--------------------

HKCU\Software\Classes\.bat\(Default) = (value not set)

HKCU\Software\Classes\.cmd\(Default) = (value not set)

HKCU\Software\Classes\.com\(Default) = (value not set)

HKCU\Software\Classes\.exe\(Default) = (value not set)

HKCU\Software\Classes\.hta\(Default) = (value not set)


Group Policies {GPedit.msc branch and setting}:
-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{User Configuration|Administrative Templates|System|
Disable registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|
Shutdown: Allow system to be shut down without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "igeorge" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\igeorge\Start Menu\Programs\Startup
"HotSync Manager" -> shortcut to: "C:\Palm\HOTSYNC.EXE" ["Palm, Inc."]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Shaw Secure" -> shortcut to: "C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe -startup" ["BackWeb Technologies Inc. "]


Enabled Scheduled Tasks:
------------------------

"Scheduled scanning task" -> launches: "C:\PROGRA~1\SHAWSE~1\ANTI-V~1\fsav.exe /HARD /ARCHIVE /DISINF /SCHED /NOBREAK /REPORT=C:\PROGRA~1\SHAWSE~1\ANTI-V~1\report.txt" ["F-Secure Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
winsflt.dll [empty string], 01 - 05, 17
%SystemRoot%\system32\msafd.dll [MS], 06 - 08, 11 - 16
%SystemRoot%\system32\rsvpsp.dll [MS], 09 - 10


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar4.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN Search Toolbar"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll" [MS]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {HKLM...CLSID} = "&Google"
\InProcServer32\(Default) = "c:\program files\google\googletoolbar4.dll" ["Google Inc."]
"{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"
-> {HKLM...CLSID} = "MSN Search Toolbar"
\InProcServer32\(Default) = "C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll" [MS]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{2851F27F-AFC5-45A9-8ED3-D6587D65F348}\
"ButtonText" = "Shaw Help"
"Exec" = "http://support.shaw.home.com" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{200DB664-75B5-47C0-8B45-A44ACCF73C00}\
"ButtonText" = "Web Filter"
"CLSIDExtension" = "{D68926FD-18FD-4B0E-A1C7-917D13FAB760}"
-> {HKLM...CLSID} = "F-Secure Parental Control COM button"
\InProcServer32\(Default) = "C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll" ["F-Secure Corporation"]

{200DB664-75B5-47C0-8B45-A44ACCF73F01}\
"MenuText" = "Web Filter"
"CLSIDExtension" = "{D68926FD-18FD-4B0E-A1C7-917D13FAB760}"
-> {HKLM...CLSID} = "F-Secure Parental Control COM button"
\InProcServer32\(Default) = "C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll" ["F-Secure Corporation"]

{300DB664-75B5-47C0-8B45-A44ACCF73C00}\
"ButtonText" = "IE Shield"
"MenuText" = "IE Shield..."
"CLSIDExtension" = "{0928F506-07E8-470c-979D-147C296D4879}"
-> {HKLM...CLSID} = "F-Secure IE Shield COM button"
\InProcServer32\(Default) = "C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll" ["F-Secure Corporation"]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://home.excite.ca

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Shaw Secure, BackWeb Plug-in - 3875767, "C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE" ["BackWeb Technologies Inc. "]


----------
<<!>>: Suspicious data at a malware launch point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 73 seconds, including 12 seconds for message boxes)

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:50 AM

Posted 30 November 2006 - 12:49 PM

OK, good. Please download
VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 ebud

ebud
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:North Van
  • Local time:10:50 PM

Posted 30 November 2006 - 02:56 PM

Ok that is done...

I did get an error on the remove step.and re-boot prompt ...an alert message saying
"Cannot import c:\winnt\vundofix.reg; Error opening file file. There maybe a disk or file system error."

Here is the log after re-boot ( vundo didn't re-run on startup ):


VundoFix V6.2.13

Checking Java version...

Java version is 1.5.0.6

Scan started at 11:32:42 AM 11/30/2006

Listing files found while scanning....

C:\WINNT\system32\vvqtnzd.dll
C:\WINNT\system32\winyme32.dll
C:\WINNT\system32\xxwvs.dll
C:\WINNT\system32\svwxx.ini
C:\WINNT\system32\svwxx.bak1
C:\WINNT\system32\svwxx.bak2
C:\WINNT\system32\svwxx.ini2
C:\WINNT\system32\svwxx.tmp
C:\WINNT\system32\xxwvs.dll
C:\WINNT\system32\svwxx.ini
C:\WINNT\system32\svwxx.bak1
C:\WINNT\system32\svwxx.bak2
C:\WINNT\system32\svwxx.ini2
C:\WINNT\system32\svwxx.tmp
C:\WINNT\system32\svwxx.ini
C:\WINNT\system32\svwxx.bak1
C:\WINNT\system32\svwxx.bak2
C:\WINNT\system32\svwxx.ini2
C:\WINNT\system32\svwxx.tmp

Beginning removal...

Attempting to delete C:\WINNT\system32\vvqtnzd.dll
C:\WINNT\system32\vvqtnzd.dll Has been deleted!

Attempting to delete C:\WINNT\system32\winyme32.dll
C:\WINNT\system32\winyme32.dll Has been deleted!

Attempting to delete C:\WINNT\system32\xxwvs.dll
C:\WINNT\system32\xxwvs.dll Has been deleted!

Attempting to delete C:\WINNT\system32\svwxx.ini
C:\WINNT\system32\svwxx.ini Has been deleted!

Attempting to delete C:\WINNT\system32\svwxx.bak1
C:\WINNT\system32\svwxx.bak1 Has been deleted!

Attempting to delete C:\WINNT\system32\svwxx.bak2
C:\WINNT\system32\svwxx.bak2 Has been deleted!

Attempting to delete C:\WINNT\system32\svwxx.ini2
C:\WINNT\system32\svwxx.ini2 Has been deleted!

Attempting to delete C:\WINNT\system32\svwxx.tmp
C:\WINNT\system32\svwxx.tmp Has been deleted!

Performing Repairs to the registry.
Done!

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:50 AM

Posted 30 November 2006 - 02:59 PM

And the new HJT log....
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#7 ebud

ebud
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:North Van
  • Local time:10:50 PM

Posted 30 November 2006 - 03:17 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:08:26 PM, on 11/30/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{5CE964A6-02B9-1033-0326-010907200001}\Update.exe
C:\Palm\HOTSYNC.EXE
C:\Highjackthis\HijackThis.exe
C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0E55CC01-8113-487B-92F2-98C24D98A57F} - C:\WINNT\system32\ssqrstr.dll
O2 - BHO: (no name) - {1CF03232-4A32-BB98-6BAA-0389B1DDF7A5} - C:\WINNT\system32\nztnuok.dll
O2 - BHO: (no name) - {1DC2F1BE-9C2C-4BB9-22DE-065804D10C2B} - C:\WINNT\system32\lzkbekm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - C:\WINNT\system32\ipv6mons.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8F1049CD-3DA1-4305-83B7-C28488BC2DAA} - C:\WINNT\system32\xxwvs.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {E148F3F8-2BBB-4CFE-B99B-DFB15A23DA7A} - C:\Program Files\ComPlus Applications\mecor.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Shaw Help - {2851F27F-AFC5-45A9-8ED3-D6587D65F348} - http://support.shaw.home.com (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.ca
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: rpccd - C:\WINNT\system32\rpccd.dll
O20 - Winlogon Notify: ssqrstr - C:\WINNT\SYSTEM32\ssqrstr.dll
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe (file missing)
O23 - Service: Socks-Cap (Sc32Inch) - Unknown owner - C:\WINNT\Sc32Inch.exe (file missing)

#8 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:50 AM

Posted 30 November 2006 - 03:53 PM

Still quite a lot in there. Please download SUPERAntiSpyware Home Edition (free version)
  • Install it and double-click the icon on your desktop to run it.
  • It will ask if you want to update the program definitions, click Yes.
  • Under Configuration and Preferences, click the Preferences button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  • On the main screen, under Scan for Harmful Software click Scan your computer.
  • On the left check C:\Fixed Drive.
  • On the right, under Complete Scan, choose Perform Complete Scan.
  • Click Next to start the scan. Please be patient while it scans your computer.
  • After the scan is complete a summary box will appear. Click OK.
  • Make sure everything in the white box has a check next to it, then click Next.
  • It will quarantine what it found and if it asks if you want to reboot, click Yes.
  • To retrieve the removal information for me please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  • Click close and close again to exit the program.
  • Please paste that information here for me with a new HijackThis log.

Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#9 ebud

ebud
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:North Van
  • Local time:10:50 PM

Posted 30 November 2006 - 06:44 PM

Done...

SUPERAntiSpyware Scan Log
Generated 11/30/2006 at 01:51 PM

Application Version : 3.3.1020

Core Rules Database Version : 3107
Trace Rules Database Version: 1133

Scan type : Complete Scan
Total Scan Time : 00:37:44

Memory items scanned : 280
Memory threats detected : 1
Registry items scanned : 4304
Registry threats detected : 17
File items scanned : 21620
File threats detected : 26

Trojan.Downloader-DoneDU
C:\WINNT\SYSTEM32\LZKBEKM.DLL
C:\WINNT\SYSTEM32\LZKBEKM.DLL
C:\VUNDOFIX BACKUPS\VVQTNZD.DLL.BAD
C:\WINNT\SYSTEM32\EDDSUWI.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{659552AE-742A-4E79-A07A-D16C9CBBE2A1}
HKCR\CLSID\{659552AE-742A-4E79-A07A-D16C9CBBE2A1}
HKCR\CLSID\{659552AE-742A-4E79-A07A-D16C9CBBE2A1}\InprocServer32
HKCR\CLSID\{659552AE-742A-4E79-A07A-D16C9CBBE2A1}\InprocServer32#ThreadingModel
C:\WINNT\SYSTEM32\EFEFC.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{659552AE-742A-4E79-A07A-D16C9CBBE2A1}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\efefc

Adware.Tracking Cookie
C:\Documents and Settings\igeorge\Cookies\igeorge@indexstats[2].txt
C:\Documents and Settings\igeorge\Cookies\igeorge@2o7[2].txt
C:\Documents and Settings\igeorge\Cookies\igeorge@stats1.reliablestats[1].txt
C:\Documents and Settings\igeorge\Cookies\igeorge@perf.overture[1].txt
C:\Documents and Settings\igeorge\Cookies\igeorge@msnportal.112.2o7[1].txt
C:\Documents and Settings\igeorge\Cookies\igeorge@data2.perf.overture[1].txt
C:\Documents and Settings\igeorge\Cookies\igeorge@1067766890[1].txt

Unclassified.Unknown Origin
HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2240}
HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2240}\InProcServer32
HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304BB2240}\InProcServer32#ThreadingModel
HKCR\CLSID\{73364D99-1240-4DFF-B12A-67E448373148}
HKCR\CLSID\{73364D99-1240-4DFF-B12A-67E448373148}\InprocServer32
HKCR\CLSID\{73364D99-1240-4DFF-B12A-67E448373148}\InprocServer32#ThreadingModel
HKCR\CLSID\{73364D99-1240-4DFF-B12A-67E448373148}\InprocServer32#Enable Browser Extensions

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV

Adware.FullContext
C:\Program Files\PSDream\PSDream.exe
C:\Program Files\PSDream\Uninstall.exe
C:\Program Files\PSDream

Malware.SpywareBot
C:\Program Files\SpywareBot\HOSTS Backups\2006-11-28-1164758084_hosts
C:\Program Files\SpywareBot\HOSTS Backups
C:\Program Files\SpywareBot

Trojan.Freeprod
C:\DOCUMENTS AND SETTINGS\IGEORGE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\036D1504\WLZIP32[1].EXE
C:\WINNT\TEMP\WIN1485.TMP.EXE

Trojan.WinAntiSpyware/WinAntiVirus 2006
C:\DOCUMENTS AND SETTINGS\IGEORGE\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\DIIEDI6Q\WINANTIVIRUSPRO2006FREEINSTALL[1].CAB

Trojan.IBM/Shell
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00001.DLL
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00002.DLL

Adware.ToolBar888
C:\PROGRAM FILES\COMMON FILES\{3CE964A6-02B9-1033-0326-010907200001}\MYTOOLBAR.DLL

Trojan.Downloader-IPV6Mons
C:\WINNT\SYSTEM32\IPV6MONS.DLL

Worm.Rbot Variant
C:\WINNT\SYSTEM32\ISMINI.EXE

Trojan.Virtumonde
C:\WINNT\SYSTEM32\YBVHFIGP.DLL


----------------------- and HiJackthis log---------------------------

Logfile of HijackThis v1.99.1
Scan saved at 3:36:15 PM, on 11/30/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{5CE964A6-02B9-1033-0326-010907200001}\Update.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Palm\HOTSYNC.EXE
C:\WINNT\system32\svchost.exe
C:\Highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1CF03232-4A32-BB98-6BAA-0389B1DDF7A5} - C:\WINNT\system32\nztnuok.dll
O2 - BHO: (no name) - {1DC2F1BE-9C2C-4BB9-22DE-065804D10C2B} - C:\WINNT\system32\lzkbekm.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {659552AE-742A-4E79-A07A-D16C9CBBE2A1} - (no file)
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8F1049CD-3DA1-4305-83B7-C28488BC2DAA} - C:\WINNT\system32\xxwvs.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O2 - BHO: (no name) - {E148F3F8-2BBB-4CFE-B99B-DFB15A23DA7A} - C:\Program Files\ComPlus Applications\mecor.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Shaw Help - {2851F27F-AFC5-45A9-8ED3-D6587D65F348} - http://support.shaw.home.com (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.ca
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: rpccd - C:\WINNT\system32\rpccd.dll
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe (file missing)
O23 - Service: Socks-Cap (Sc32Inch) - Unknown owner - C:\WINNT\Sc32Inch.exe (file missing)

#10 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:50 AM

Posted 30 November 2006 - 06:56 PM

Click here to download Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. In the 'Full Path of File to Delete' box, copy and paste the following, clicking the red 'Delete File' button (red circle with a white X) after pasting each one:

C:\WINNT\system32\rpcc.dll
C:\WINNT\system32\rpccd.dll

Click 'Exit' when done.

Make sure that you have no browser windows open as this could prevent the fix from working properly. Open HijackThis, scan and when complete, remove the following entries by checking the box to the left and clicking 'fixed checked':

O2 - BHO: (no name) - {1CF03232-4A32-BB98-6BAA-0389B1DDF7A5} - C:\WINNT\system32\nztnuok.dll
O2 - BHO: (no name) - {1DC2F1BE-9C2C-4BB9-22DE-065804D10C2B} - C:\WINNT\system32\lzkbekm.dll (file missing)
O2 - BHO: (no name) - {659552AE-742A-4E79-A07A-D16C9CBBE2A1} - (no file)
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - (no file)
O2 - BHO: (no name) - {8F1049CD-3DA1-4305-83B7-C28488BC2DAA} - C:\WINNT\system32\xxwvs.dll (file missing)
O2 - BHO: (no name) - {E148F3F8-2BBB-4CFE-B99B-DFB15A23DA7A} - C:\Program Files\ComPlus Applications\mecor.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINNT\system32\rpcc.dll
O20 - Winlogon Notify: rpccd - C:\WINNT\system32\rpccd.dll
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
O23 - Service: Socks-Cap (Sc32Inch) - Unknown owner - C:\WINNT\Sc32Inch.exe (file missing)


Exit HijackThis when done. Reboot, rescan with HijackThis and post a new log here.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#11 ebud

ebud
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:North Van
  • Local time:10:50 PM

Posted 30 November 2006 - 07:31 PM

Can't delete this one...I tried the delete on re-boot option and it's still there

C:\WINNT\system32\rpccd.dll

#12 ebud

ebud
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:North Van
  • Local time:10:50 PM

Posted 30 November 2006 - 11:00 PM

I used a tool called GiPo@MoveOnBoot to delete the file in question...hope that is ok?

Double checked in the file system after re-boot and they are both gone


Here's a new HJT log ...

Logfile of HijackThis v1.99.1
Scan saved at 7:46:20 PM, on 11/30/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{5CE964A6-02B9-1033-0326-010907200001}\Update.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Palm\HOTSYNC.EXE
C:\Highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Shaw Help - {2851F27F-AFC5-45A9-8ED3-D6587D65F348} - http://support.shaw.home.com (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.ca
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: nvidGUIv (nvidGUIv2) - Unknown owner - C:\WINNT\nvidGUIv.exe (file missing)
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe (file missing)
O23 - Service: Socks-Cap (Sc32Inch) - Unknown owner - C:\WINNT\Sc32Inch.exe (file missing)

#13 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:50 AM

Posted 01 December 2006 - 02:37 AM

That's OK. Go to Start->Run and type Services.msc then hit Ok. Scroll down and find the service called "nvidGUIv". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok. Repeat for "Socks-Cap".

Close any open windows. Reboot, rescan and post a new HJT log.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#14 ebud

ebud
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Location:North Van
  • Local time:10:50 PM

Posted 01 December 2006 - 09:40 AM

Logfile of HijackThis v1.99.1
Scan saved at 6:30:40 AM, on 12/1/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\igfxtray.exe
C:\WINNT\system32\hkcmd.exe
C:\progra~1\shaw\update\updateloader.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Shaw Secure\Common\FSM32.EXE
C:\Program Files\Shaw Secure\TNB\TNBUtil.exe
C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE
C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{5CE964A6-02B9-1033-0326-010907200001}\Update.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Palm\HOTSYNC.EXE
c:\temp\Shaw\shawupdate.exe
C:\Highjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: MSN Search Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0001.1119\en-us\msntb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Shaw Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Shaw Secure\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Startup Wizard] "C:\Program Files\Shaw Secure\FSGUI\FSSW.EXE" /reboot
O4 - HKLM\..\Run: [News Service] "C:\Program Files\Shaw Secure\FSGUI\ispnews.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINNT\system32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Shaw Secure.lnk = C:\Program Files\Shaw Secure\backweb\3875767\Program\fspex.exe
O8 - Extra context menu item: &Block this popup - C:\Program Files\Shaw Secure\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Web Filter - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\Shaw Secure\FSPC\fspcmsie.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\Shaw Secure\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Shaw Help - {2851F27F-AFC5-45A9-8ED3-D6587D65F348} - http://support.shaw.home.com (file missing) (HKCU)
O10 - Broken Internet access because of LSP provider 'winsflt.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://home.excite.ca
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Shaw Secure (BackWeb Plug-in - 3875767) - BackWeb Technologies Inc. - C:\PROGRA~1\SHAWSE~1\backweb\3875767\Program\SERVIC~1.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: F-Secure HTTP Server (fshttps) - F-Secure Corporation - C:\Program Files\Shaw Secure\FSPC\fshttps\fshttps.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Windows Remote Procedure Call Monitoring Service (rpcsvc) - Unknown owner - C:\WINNT\system32\rpcsvc.exe (file missing)

#15 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:04:50 AM

Posted 01 December 2006 - 10:30 AM

Looks good - how is it running now?
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users