Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Adware.purityscan


  • Please log in to reply
6 replies to this topic

#1 jhroepke

jhroepke

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 31 January 2007 - 12:54 PM

I am using Norton Antivirus 10.0 and have received notification that there is a threat.
I have ran a hijackthis... here is the log file. PLEASE HELP!

Logfile of HijackThis v1.99.1
Scan saved at 12:52:01 PM, on 1/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\GORDC~2.AAT\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://securityresponse.symantec.com/avcen...?vid=4294906363
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {07E27795-B208-CDDD-235B-BBCE66EFB5C9} - C:\WINDOWS\system32\euljed.dll (file missing)
O2 - BHO: (no name) - {10ABCDF0-5237-27E1-42C3-55A05CF6F2BB} - C:\WINDOWS\system32\nbfjcy.dll (file missing)
O2 - BHO: (no name) - {26022BD4-E614-C1CB-3FE6-B04EDEF2CBC0} - C:\WINDOWS\system32\qkljjqjs.dll (file missing)
O2 - BHO: (no name) - {2E31DB3B-43FE-362B-DE9B-45D19B6AC5EB} - C:\WINDOWS\system32\kwyhchja.dll (file missing)
O2 - BHO: (no name) - {5EC35485-9F1E-BFC7-6505-9C3C6520E3E8} - C:\WINDOWS\system32\hoxufpgq.dll (file missing)
O2 - BHO: (no name) - {9177CA24-0DEC-753E-CBFB-5650D3F42CBC} - C:\WINDOWS\system32\scvfsks.dll (file missing)
O2 - BHO: (no name) - {B7CAA0A6-3164-48B7-1767-6F5333FB56B0} - C:\WINDOWS\system32\lreybl.dll (file missing)
O2 - BHO: (no name) - {D6DD74C0-BA5A-94D7-7153-E95B232060B6} - C:\WINDOWS\system32\whroczcd.dll (file missing)
O2 - BHO: (no name) - {E51CD42E-1BB7-363D-CDD0-438192C6589C} - C:\WINDOWS\system32\ikookal.dll (file missing)
O2 - BHO: (no name) - {EFAD7F42-E1D4-C250-F5F4-E3CB5AC509BC} - C:\WINDOWS\system32\jtbbyfdw.dll (file missing)
O2 - BHO: (no name) - {FF0D5399-9901-EADE-7840-98ECA8ED1AE5} - C:\WINDOWS\system32\beays.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SysEntry] Uint32.exe
O4 - HKLM\..\Run: [dmesr.exe] C:\WINDOWS\system32\dmesr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169816593861
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aatel.com
O17 - HKLM\Software\..\Telephony: DomainName = aatel.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{518A8739-65F7-4C1D-B65C-F3891BFA1058}: NameServer = 85.255.113.149,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB40318A-F2E3-4714-AAD4-3629F3925275}: NameServer = 85.255.113.149,85.255.112.7
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = aatel.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{518A8739-65F7-4C1D-B65C-F3891BFA1058}: NameServer = 85.255.113.149,85.255.112.7
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = aatel.com
O17 - HKLM\System\CS3\Services\Tcpip\..\{518A8739-65F7-4C1D-B65C-F3891BFA1058}: NameServer = 85.255.113.149,85.255.112.7
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = aatel.com
O17 - HKLM\System\CS4\Services\Tcpip\..\{518A8739-65F7-4C1D-B65C-F3891BFA1058}: NameServer = 85.255.113.149,85.255.112.7
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

BC AdBot (Login to Remove)

 


#2 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 31 January 2007 - 05:45 PM

Hi, I would like to take a look at this log for you
and will get back you you as soon as I can.

Thank You.

#3 jhroepke

jhroepke
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 01 February 2007 - 08:44 AM

I have ran fixwareout.exe here is the report from it

Fixwareout
Last edited 1/27/2007
Post this report in the forums please
...
Prerun check
HKLM run and Winlogon System values
C:\WINDOWS\system32\cstnj.exe will be moved to C:\WINDOWS\temp\cstnj.ren at reboot.
System restarted
...
Reg Entries that were deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "xedocne"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "repiwoh"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "23plhps"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "mgcppp"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "tesvaf"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "golmedi"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "32refaselif"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "rsemd"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "xedocne"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "gib_ogol"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "repiwoh"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "llun"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "23plhps"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "mgcppp"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "tesvaf"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "golmedi"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "32refaselif"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "putesprpgd"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "dpid"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion "pid"
...
Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

Searching by size/names...


Search five digit cs, dm kd and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSYDS.EXE 51,200 2005-12-29

Other suspects.

Misc files.

Checking for older varients covered by the Rem3 tool.

Postrun check
HKLM run
Winlogon System value
"system"=""



Current runs

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /installquiet"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"bascstray"="BascsTray.exe"
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

#4 jhroepke

jhroepke
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 01 February 2007 - 08:52 AM

I have fixed some of the errors from the hijackthis application. I have run this again here is the log file

Logfile of HijackThis v1.99.1
Scan saved at 8:23:08 AM, on 2/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\basfipm.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\DOCUME~1\GORDC~2.AAT\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://securityresponse.symantec.com/avcen...?vid=4294906363
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1169816593861
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = aatel.com
O17 - HKLM\Software\..\Telephony: DomainName = aatel.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = aatel.com
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: Domain = aatel.com
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

#5 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 01 February 2007 - 02:02 PM

Hello jhroepke :thumbsup:

Please Copy and Paste this post into a new text document or print it for reference

Step 1

You must place HiJack this into it's own folder,
If we ever need to restore any Item then this folder will safely store all entries
and enable us to then use the Back-up feature that Hijack This offers

Create a New Folder HijackThis on the C: drive,

Open My Computer ( Windows key + E )
then double click on Local Disk (C:)
Now right click and select
New > Folder and name it HJT.

Please now move HijackThis.exe into the new HJT folder.
Do this BEFORE you proceed!

Step 2

Please Download AVG Anti-Spyware 7.5
http://www.ewido.net/en/download/

The program should launch automatically after installation. If not, double-click the desktop icon.

Deactivate the "Resident Shield" as this may prevent changes to the registry.
To do this, click "Change State" to the right of the Resident Shield option in the main window.
You will clearly see the status change to Inactive if you have done this correctly.

Now Update AVG Anti-Spyware 7.5
click the "Update" icon from the main menu.
Then click the "Start Update" button.
When you receive the "Update successful" prompt, close AVG AS.
Note: If you have any problems with the updater, you can Update AVG Anti-Spyware 7.5 Manually.
Do not Scan with this yet!

Please Reboot your System into Safe Mode Shut down your system, then Restart your computer
as soon as it starts booting up again continuously tap F8 from the menu select the option to enter Safe Mode

Click Start | Run and type cleanmgr in the run box
Checkmark these: Temporary Files | Temporary Internet Files | Recycle Bin
Click OK to start the cleanup and wait for it to finish.

Open AVG Anti-Spyware 7.5 and click the "Scanner" icon from the main menu.
Click "Complete System Scan" to start scanning.
When the scan completes, click "Recommended action" beneath the results window and select "Quarantine".
Then click the "Apply all actions" button to quarantine everything detected.
Then click Save report > Save report as and save the Report-Scan.txt to your desktop.

Then Reboot back into Normal Mode

Please Re-Scan with Hijack This and post

1/ The new HijackThis log
2/ The AVG Anti-Spyware 7.5 Report-Scan.txt

Thank you.

#6 jhroepke

jhroepke
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:04:34 AM

Posted 01 February 2007 - 03:33 PM

I have resolved this issue.

I did a fullscan with Norton 10.0 and there isn't a threat anymore.

#7 ourwilly

ourwilly

  • Members
  • 921 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 02 February 2007 - 10:52 AM

Hello jhroepke

Please note that there are some bad lines in the log, are you still there?"

ourwilly




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users