Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Help Finding Spyware On Next Door Computer


  • This topic is locked This topic is locked
10 replies to this topic

#1 Jeremy James

Jeremy James

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 28 February 2007 - 02:02 PM

I am working on a computer next door to my home, and that computer is on dialup. It is relatively new, but has become infected with much spyware/many programs that open automatically when the computer opens. Many popups.

What is a good program taht I can download here on my high speed connection and take over there to see what needs to be removed?

Also, I have been on some of these forums that people have run a program and it copied the entire registry, and then they would post the registry online and someone would tell them what would need to happen. If you give hte name of that program as well, I'll copy that registry and put it up here for y'all do discect.

Thanks.

Jeremy

Mod Edit: Topic moved to a more appropriate forum.

Edited by quietman7, 28 February 2007 - 03:22 PM.


BC AdBot (Login to Remove)

 


#2 ktreffin

ktreffin

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:FL, USA
  • Local time:04:33 PM

Posted 28 February 2007 - 02:30 PM

Have you tried Ad-Aware SE by Lavasoft? Might also want to check out Spy-Bot SD. This will help remove a lot of the spyware that might be there. My wife inadvertantly installed a program that secondarily installed a whole bunch of crap on her computer, I was able to run both of these programs in Safe-Mode and get rid of a bunch of it.

I believe the registry program that you are referring to is Highjackthis. Which can be found here:

http://www.spywareinfo.com/~merijn/programs.php

Another good resource that you might want to run is a Panda Active Scan which can be found here:

http://www.pandasoftware.com/activescan/cj/ascan_2.asp

Hopefully this will get you started. Good luck, Let us know how you make out..
Proud Graduate of Malware Removal University
Posted Image
Posted Image
Posted Image

#3 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:09:33 PM

Posted 28 February 2007 - 02:48 PM

Very Important
If you are not experianced with HiJackThis please refrain from using this programm. It can do more harm than good. It requires specific knowledge on how to use this.



Jeremy, my suggestion would be as following :

Download from my sig :

Ad aware
Spybot Search and Destroy

Update these prgrams and run them
after that

Download and scan with SUPERAntiSypware Free for Home Users

* Double-click SUPERAntiSypware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
* When done, select "Scan for Harmful Software".
* There are three scanning options. Choose "Perform Complete Scan" and click "Next".
* When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
* Make sure they all have a checkmark next to them and click "Next".
* A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
* Click Preferences and then click the statistics/logs tab.
* Click the dated log and press View log. A text file will appear so you can see the results.
* Select close to exit the program.
* Scan in SAFE MODE
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/

* Install AVG Anti-Spyware by double clicking the installer.
* Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
* On the main screen under Your Computer's security.
o Click on Change state next to Resident shield. It should now change to inactive.
o Click on Change state next to Automatic updates. It should now change to inactive.
o Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
o Wait until you see the Update succesfull message.
* Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
* Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Close ALL open Windows / Programs / Folders. Reboot in safe mode Please start AVG Anti-Spyware and run a full scan.

* Click on Scanner on the toolbar.
* Click on the Settings tab.
o Under How to act?
+ Click on Recommended Action and choose Quarantine from the popup menu.
o Under How to scan?
+ All checkboxes should be ticked.
o Under Possibly unwanted software:
+ All checkboxes should be ticked.
o Under Reports:
+ Select Automatically generate report after every scan and uncheck Only if threats were found.
o Under What to scan?
+ Select Scan every file.
* Click on the Scan tab.
* Click on Complete System Scan to start the scan process.
* Let the program scan the machine.
* When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
o Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
o At the bottom of the window click on the Apply all Actions button. (3)

Posted Image

* When done, click the Save Scan Report button. (4)
o Click the Save Report as button.
o Save the report to your Desktop.
* Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

THan
* Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Under Browsing History, click "Delete".
* Click "Delete Files", "Delete cookies" and "Delete history"
* Click Close below.

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu..
* Click the Clear now button below.. A new window will popup what to clear.
* Select all and click the Clear button again.
* Click OK to close the Options window

* Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

If that does not clear up matters than please read and follow all instructions in the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". You may have performed some of these steps already. About half way down are instructions for downloading HijackThis and creating a log.

When you have done that, post a log in the HijackThis Logs and Analysis Forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. Please include the top portion of the HijackThis log that lists version information. An expert will analyze your log and reply with instructions advising you what to fix.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log here.

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

After you have run the cleanmanager, prior to go over the steps for HiJacktThis please post back how this computer is running now

Edited by fozzie, 28 February 2007 - 02:50 PM.


#4 Jeremy James

Jeremy James
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 28 February 2007 - 03:13 PM

sorry..

ran hijackthis after reading yiour thread..

i have to go to work now, but will be back in a few hours.

thanks for your help!

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:33 PM

Posted 28 February 2007 - 03:21 PM

I have split your HJT log away from this thread and moved it into the HJT forum.

You can find it here: http://www.bleepingcomputer.com/forums/t/83139/need-help-finding-spyware-on-next-door-computer/

Now that your log is posted there, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files on your own, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and complicate the malware removal process.

Please be patient and wait for a response from an HJT Team member. It may take a while to get a response because team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. While waiting, please DO NOT make another reply to your log until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have no replies as this makes it easier for them to identify those who have not been helped. If you post another response, a team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:03:33 PM

Posted 28 February 2007 - 03:27 PM

:inlove: to :huh: Whoops i mean: Bleeping Computer! :flowers: As for your problem, the answer may be below. :thumbsup: Others can help too! :trumpet: Hopefully the Mal/spy/adware, or trojan wont make you do this -> :killcomputer:


Listen to fozzie, that person knows what their saying.

#7 Master5270

Master5270

  • Members
  • 131 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where am I?
  • Local time:03:33 PM

Posted 28 February 2007 - 03:30 PM

Sorry for double post but i have 2 things to say,

1: fozzie, SUPERantispyware is spelled wrong, and ive just noticed this over a different post :thumbsup:



2: HOW DID YOUR FRIEND GET THAT COLLECTION OF FILES, LOL :flowers:

#8 Jeremy James

Jeremy James
  • Topic Starter

  • Members
  • 306 posts
  • OFFLINE
  •  
  • Local time:02:33 PM

Posted 01 March 2007 - 01:10 AM

I will post this reply in both forums.

Came home tongiht, and all I did was follow the instructions in the HJT thread.

First, here is the new, updated HJT logfile
HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 11:48:54 PM, on 2/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\VISION~1\OneTouchMon.exe
C:\WINDOWS\System32\c8d97391.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\psc_mon.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
C:\WINDOWS\System32\BMUpdate.exe
C:\Program Files\America Online 7.0e\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0EC4AA6D-85DA-BC0E-8018-05149C4CAC4E} - C:\WINDOWS\System32\qysbwmj.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {593F150D-16E3-1759-50A4-01CF1D8CE6AA} - C:\WINDOWS\System32\wsnfjrm.dll
O2 - BHO: (no name) - {5DC8707F-7D4B-5624-B6A3-0349403B509C} - C:\WINDOWS\System32\hcpboh.dll
O2 - BHO: (no name) - {69A470B4-BE64-34E8-057C-012C1D3D0529} - C:\WINDOWS\System32\waszicg.dll
O2 - BHO: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: hp toolkit - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\HP\EXPLOREBAR\HPTOOLKT.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTBar] C:\hp\bin\autotbar.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\OneTouchMon.exe
O4 - HKLM\..\Run: [c8d97391.exe] C:\WINDOWS\System32\c8d97391.exe
O4 - HKLM\..\Run: [xtvikem.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\xtvikem.dll,bwnmkjb
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [uveolcb.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\uveolcb.dll,sbaahee
O4 - HKLM\..\Run: [Personal Security Center Monitor] C:\WINDOWS\System32\psc_mon.exe
O4 - HKLM\..\Run: [wwnmzbi.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\wwnmzbi.dll,jabnone
O4 - HKLM\..\Run: [uwfpmkf.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\uwfpmkf.dll,loaytkg
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [BMUpdate] C:\WINDOWS\System32\BMUpdate.exe
O4 - HKCU\..\Run: [c8d97391.exe] C:\Documents and Settings\Owner\Local Settings\Application Data\c8d97391.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0e\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Event Reminder.lnk = ?
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab
O16 - DPF: {3889B933-8E75-74DE-0BC6-404F557E70FA} - http://85.255.115.229/1/gdnUS2312.exe
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photofinale.com/ImageUploader3/ImageUploader3.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: QuickBooks Database Manager Service (QBCFMonitorService) - - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


And, here is the FixwareOut log


Fixwareout Last edited 2/11/2007
Post this report in the forums please
...
»»»»»Prerun check

»»»»» System restarted

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other



»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"Share-to-Web Namespace Daemon"="c:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\Unload\\hpqcmon.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"StorageGuard"="\"C:\\Program Files\\VERITAS Software\\Update Manager\\sgtray.exe\" /r"
"AutoTBar"="C:\\hp\\bin\\autotbar.exe"
"WCOLOREAL"="\"C:\\Program Files\\Coloreal\\coloreal.exe\""
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"nwiz"="nwiz.exe /install"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"ccRegVfy"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"OneTouch Monitor"="C:\\PROGRA~1\\VISION~1\\OneTouchMon.exe"
"c8d97391.exe"="C:\\WINDOWS\\System32\\c8d97391.exe"
"xtvikem.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\xtvikem.dll,bwnmkjb"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"WT GameChannel"="C:\\Program Files\\WildTangent\\Apps\\GameChannel.exe"
"uveolcb.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\uveolcb.dll,sbaahee"
"Personal Security Center Monitor"="C:\\WINDOWS\\System32\\psc_mon.exe"
"wwnmzbi.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\wwnmzbi.dll,jabnone"
"uwfpmkf.dll"="C:\\WINDOWS\\System32\\rundll32.exe C:\\WINDOWS\\System32\\uwfpmkf.dll,loaytkg"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"PPWebCap"="C:\\PROGRA~1\\ScanSoft\\PAPERP~1\\PPWebCap.exe"
"BMUpdate"="C:\\WINDOWS\\System32\\BMUpdate.exe"
"c8d97391.exe"="C:\\Documents and Settings\\Owner\\Local Settings\\Application Data\\c8d97391.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it

Thanks for all the help!

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:33 PM

Posted 01 March 2007 - 01:57 AM

To keep things from getting confused, please post your HJT reponses only in your HJT thread. The folks in the HJT forum are specially trained in malware removal. At this point, please follow the directions of your HJT helper only; otherwise, you'll make his job more difficult. You're in good hands over there. :flowers:

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:09:33 PM

Posted 01 March 2007 - 03:32 AM

You are being "handled " by RitchieUK on of the many "BC's finest " in the HJT forum

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:33 PM

Posted 01 March 2007 - 08:28 AM

I will post this reply in both forums. Came home tongiht, and all I did was follow the instructions in the HJT thread.

Please refrain from asking for help from other members or staff while you are being instructed by a member of the HJT Team. Any modifications you make can result in system changes which may not show it the log you already posted. Further, following advice outside of that post may cause confusion for the team member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer. To avoid confusing, I am closing this thread.

Thanks for your cooperation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users