Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.downloader.ruins Won't Go Away


  • This topic is locked This topic is locked
18 replies to this topic

#1 deadlili

deadlili

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 21 March 2007 - 08:39 PM

Hi.. I hope you can help me.

I've run several anti-spyware programs and only Spyware Doctor (free version) finds this one and I don't know how to get rid of it.

Trojan.downloader.ruins (1 infection)
Registry Value
HKEY_LOCAL_MACHINE\SOFTWARE\Windows NT\Current Version\Winlogon, System


It previously found instances of 2 other trojans (trojan.dns.changer and trojan.popuper.downloader) but they seem to be gone now. Now I fear there may be other things I'm just not seeing.

On to the log...


Logfile of HijackThis v1.99.1
Scan saved at 9:15:42 PM, on 3/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: (no name) - {28AD9A12-6410-89F2-5462-0B2AF985089A} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD08] "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [driver64] Preliminary.exe
O4 - HKCU\..\Run: [pizda] sysmon12.exe
O4 - HKCU\..\Run: [MON76234] sysconf16.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.8.0.25/aces/aces-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.8.0.32/blac...kjack-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.8.0.25/casc...scade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.8.0.25/bowl...wling-en_US.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.8.0.25/cana...nasta-en_US.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.7.3.30/chec...ckers-en_US.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.8.0.32/chec...dflag-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.7.5.28/supe...bingo-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.7.5.28/mhpo...poker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.7.5.28/lott...ottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.7.5.21/mahj...hjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.8.0.25/peng...guins-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.7.5.21/flin...inger-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.8.0.32/popfu/popfu-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.7.5.28/popp...ppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.7.5.21/hots...treak-en_US.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.8.0.25/ride/ride-en_US.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.5.21/puck/puck-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.8.0.32/spid...pider-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.8.0.32/swee...tooth-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.4.28/peaks/peaks-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.8.0.25/word...homp2-en_US.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



Thanks for any help you can give.

BC AdBot (Login to Remove)

 


#2 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 21 March 2007 - 09:18 PM

Hi -

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
R3 - URLSearchHook: (no name) - {28AD9A12-6410-89F2-5462-0B2AF985089A} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [driver64] Preliminary.exe
O4 - HKCU\..\Run: [pizda] sysmon12.exe
O4 - HKCU\..\Run: [MON76234] sysconf16.exe


Close ALL browsers and open windows/programs leaving just HijackThis and click 'Fix Checked'.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

- Save it to your Desktop and run it. Click Next, then Install
- Make sure "Run fixit" is checked and click Finish
- The fix will begin; follow the prompts.
- You will be asked to reboot your computer; please do so.
- Your system may take longer than usual to load; this is normal.
- Once the Desktop loads, a text will open (report.txt) - please post this in your next reply.

Next, perform an online scan with Panda Online. Please use this scanner instead of any other scanner! You have to use Internet Explorer for this scan.
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component, allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the "See Report" button, then "Save Report" and save it to a convenient location.

Post back with report.txt, the log from Panda's scan and a new HijackThis log. Also, let me know how your computer is running now.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#3 deadlili

deadlili
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 21 March 2007 - 10:30 PM

Hi, Waterfalls -

Thanks for your help. I've done the fixwareout deal. I've attempted the panda online scan twice now. It crashed in the same place both times. It was pretty early in the scan. I saw a count of 3 for spyware and a count of 1 for hacking tools/rootkits. It shows the fixwareout report.txt as the file being scanned when it stalls... then, shortly after, the browser just closes.. poof.. gone.

Not sure what I should do.

#4 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 21 March 2007 - 11:40 PM

Please download Combofix from either one of the following websites:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- and save to the Desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Post back with the combofix.txt log and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#5 deadlili

deadlili
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 22 March 2007 - 12:08 AM

Okay... while combofix was running, spyware doctor popped up multiple notices that it was blocking an application from accessing a file. Do I need to disable that?

Here's the log regardless..

"Michael" - 07-03-22 0:49:24 Service Pack 2
ComboFix 07-03-22 - Running from: "C:\Documents and Settings\Michael\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-02-22 to 2007-03-22 ))))))))))))))))))))))))))))))))))


2007-03-21 22:45 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-03-21 16:27 <DIR> d-------- C:\Program Files\a-squared Free
2007-03-21 12:14 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-03-21 12:14 <DIR> d-------- C:\Program Files\MSECACHE
2007-03-21 10:59 <DIR> d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2007-03-20 13:30 212,480 --a------ C:\WINDOWS\PCDLIB32.DLL
2007-03-20 08:38 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-03-19 23:37 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-03-19 23:37 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-03-19 23:37 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-03-19 23:37 144,960 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-03-19 23:37 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-03-19 23:37 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-03-19 23:36 164 --a------ C:\install.dat
2007-03-19 23:30 424,960 --a------ C:\WINDOWS\WRServices.dll
2007-03-19 23:30 102,912 --a------ C:\WINDOWS\system32\islzma.dll
2007-03-19 23:29 <DIR> d-------- C:\Program Files\Webroot
2007-03-19 23:29 <DIR> d-------- C:\DOCUME~1\Michael\APPLIC~1\Webroot
2007-03-19 22:36 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-03-19 19:48 <DIR> d-------- C:\DOCUME~1\ADMINI~1.BAR\APPLIC~1\SUPERAntiSpyware.com
2007-03-19 18:14 <DIR> d-------- C:\Program Files\stickies
2007-03-19 18:14 <DIR> d-------- C:\DOCUME~1\Michael\APPLIC~1\stickies
2007-03-19 08:51 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-03-18 23:47 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-03-18 23:47 <DIR> d-------- C:\DOCUME~1\Michael\APPLIC~1\SUPERAntiSpyware.com
2007-03-18 23:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-03-18 23:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-03-18 23:28 83,536 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-03-18 23:28 59,472 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-03-18 23:28 52,304 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-03-18 23:28 39,248 --a------ C:\WINDOWS\system32\drivers\ikfileflt.sys
2007-03-18 23:28 26,064 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-03-18 23:28 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-03-18 23:28 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2007-03-18 23:28 <DIR> d-------- C:\DOCUME~1\Michael\APPLIC~1\PC Tools
2007-03-18 23:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PC Tools
2007-03-18 23:27 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-03-18 11:05 8 --a------ C:\WINDOWS\system32\nvModes.dat
2007-03-18 11:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-03-18 11:01 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-03-18 11:01 <DIR> d-------- C:\WINDOWS\nview
2007-03-18 11:00 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2007-03-18 11:00 <DIR> d-------- C:\NVIDIA
2007-03-04 10:55 129,824 --a------ C:\WINDOWS\system32\lvci1051.dll
2007-03-04 10:54 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Logishrd
2007-02-23 17:53 <DIR> d-------- C:\DOCUME~1\Michael\APPLIC~1\CoreFTP
2007-02-23 17:52 <DIR> d-------- C:\Program Files\CoreFTP


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-21 20:37 -------- d-------- C:\Program Files\doom 3
2007-03-21 20:36 -------- d--h----- C:\Program Files\installshield installation information
2007-03-21 12:10 -------- d-------- C:\Program Files\hp
2007-03-21 12:07 -------- d-------- C:\Program Files\sonic
2007-03-21 10:59 4947 --a------ C:\WINDOWS\mozver.dat
2007-03-20 00:41 -------- d-------- C:\Program Files\oberon media
2007-03-20 00:32 -------- d-------- C:\Program Files\neopets
2007-03-20 00:32 -------- d-------- C:\DOCUME~1\Michael\APPLIC~1\neopets toolbar
2007-03-19 22:36 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-03-19 12:08 -------- d-------- C:\Program Files\norton systemworks
2007-03-18 11:33 -------- d-------- C:\Program Files\mozilla thunderbird
2007-03-04 13:16 -------- d-------- C:\Program Files\java
2007-03-04 11:00 -------- d-------- C:\Program Files\Common Files\logishrd
2007-03-04 10:54 -------- d-------- C:\Program Files\logitech
2007-02-27 11:37 -------- d-------- C:\Program Files\quicktime
2007-02-20 13:59 -------- d-------- C:\Program Files\microsoft frontpage
2007-02-19 22:17 -------- d-------- C:\Program Files\winamp
2007-02-17 18:25 -------- d-------- C:\Program Files\live365
2007-02-17 16:18 -------- d-------- C:\Program Files\mp3 knife
2007-02-17 15:50 161494 --a------ C:\WINDOWS\expstudio's audio converter free uninstaller.exe
2007-02-17 15:50 -------- d-------- C:\Program Files\expstudio
2007-02-17 15:35 -------- d-------- C:\DOCUME~1\Michael\APPLIC~1\river past g5
2007-02-06 18:45 25632 --a------ C:\WINDOWS\system32\drivers\LVPr2Mon.sys
2007-02-06 18:44 1964064 --a------ C:\WINDOWS\system32\drivers\LVMVdrv.sys
2007-02-06 18:42 1691808 --a------ C:\WINDOWS\system32\drivers\Lvckap.sys
2007-02-03 11:33 22560 --a------ C:\WINDOWS\system32\drivers\lvuvcflt.sys
2007-02-03 11:32 527136 --a------ C:\WINDOWS\system32\lvui2rc.dll
2007-02-03 11:32 41504 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-02-03 11:32 215840 --a------ C:\WINDOWS\system32\lvui2.dll
2007-02-03 11:32 1939360 --a------ C:\WINDOWS\system32\drivers\lvuvc.sys
2007-02-03 11:30 1507232 --a------ C:\WINDOWS\system32\drivers\lvpopflt.sys
2007-02-03 11:29 264992 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-02-03 10:01 13398 --a------ C:\WINDOWS\system32\repository.reg
2007-02-02 23:50 -------- d-------- C:\Program Files\msn messenger
2007-01-19 13:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\system32\corpol.dll
2006-12-22 12:41 323624 --a------ C:\WINDOWS\system32\wiaaut.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Norton SystemWorks"="\"C:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SUPERAntiSpyware"="\"C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"SoundMan"="SOUNDMAN.EXE"
"BluetoothAuthenticationAgent"="\"rundll32.exe\" irprops.cpl,,BluetoothAuthenticationAgent"
"Logitech Utility"="Logi_MwX.Exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"osCheck"="\"C:\\Program Files\\Norton AntiVirus\\osCheck.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"HPHUPD08"="\"C:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe\""
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"LogitechCommunicationsManager"="\"C:\\Program Files\\Common Files\\LogiShrd\\LComMgr\\Communications_Helper.exe\""
"LogitechQuickCamRibbon"="\"C:\\Program Files\\Logitech\\QuickCam10\\QuickCam10.exe\" /hide"
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="\"nwiz.exe\" /install"
"NvMediaCenter"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SDTray"="C:\\Program Files\\Spyware Doctor\\SDTrayApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"NoInternetOpenWith "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdauxservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\sdcoreservice
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Michael.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec Drmc.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-22 0:55:14




and the new HJT...


Logfile of HijackThis v1.99.1
Scan saved at 12:59:09 AM, on 3/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam10\QuickCam10.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD08] "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SDTray] C:\Program Files\Spyware Doctor\SDTrayApp.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.8.0.25/aces/aces-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.8.0.32/blac...kjack-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.8.0.25/casc...scade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.8.0.25/bowl...wling-en_US.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.8.0.25/cana...nasta-en_US.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.7.3.30/chec...ckers-en_US.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.8.0.32/chec...dflag-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.7.5.28/supe...bingo-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.7.5.28/mhpo...poker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.7.5.28/lott...ottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.7.5.21/mahj...hjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.8.0.25/peng...guins-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.7.5.21/flin...inger-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.8.0.32/popfu/popfu-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.7.5.28/popp...ppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.7.5.21/hots...treak-en_US.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.8.0.25/ride/ride-en_US.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.5.21/puck/puck-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.8.0.32/spid...pider-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.8.0.32/swee...tooth-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.4.28/peaks/peaks-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.8.0.25/word...homp2-en_US.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


By the way.. those blocked applications were things like trojan.goldun, backdoor.hackdoor and others.

Edited by deadlili, 22 March 2007 - 12:30 AM.


#6 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 22 March 2007 - 10:44 PM

You have an outdated version of Java which, because of security reasons, needs to be updated. To update Java:
- Download the latest version of Java Runtime Environment (JRE) 6.
- Click the "Download" button to the right.
- Check the box at the top that says: "Accept License Agreement".
- The page will refresh.
- Click on the top link to download "Windows Offline Installation, Multi-language" and save to your Desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel > Add/Remove Programs and remove all older versions of Java by checking any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the coffee cup icon next to it.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your Desktop, double-click on the downloaded Java file to install the newest version.

Post back with a new HijackThis log. Also, how is your computer running now.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#7 deadlili

deadlili
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 22 March 2007 - 11:31 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:12:53 AM, on 3/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HPHUPD08] "C:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\pc tools\lsp\pctlsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\spyware doctor\filterlsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.8.0.25/aces/aces-en_US.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.8.0.32/blac...kjack-en_US.cab
O16 - DPF: Blooop by pogo - http://game1.pogo.com/applet-6.8.0.25/casc...scade-en_US.cab
O16 - DPF: Bowling by pogo - http://game1.pogo.com/applet-6.8.0.25/bowl...wling-en_US.cab
O16 - DPF: Canasta by pogo - http://game1.pogo.com/applet-6.8.0.25/cana...nasta-en_US.cab
O16 - DPF: Checkers by pogo - http://game1.pogo.com/applet-6.7.3.30/chec...ckers-en_US.cab
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.8.0.32/chec...dflag-en_US.cab
O16 - DPF: Fortune Bingo by pogo - http://game1.pogo.com/applet-6.7.5.28/supe...bingo-en_US.cab
O16 - DPF: Lost Temple Poker by pogo - http://game1.pogo.com/applet-6.7.5.28/mhpo...poker-en_US.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.7.5.28/lott...ottso-en_US.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.7.5.21/mahj...hjong-en_US.cab
O16 - DPF: Penguin Blocks by pogo - http://game1.pogo.com/applet-6.8.0.25/peng...guins-en_US.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.7.5.21/flin...inger-en_US.cab
O16 - DPF: Pop Fu by pogo - http://game1.pogo.com/applet-6.8.0.32/popfu/popfu-en_US.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.7.5.28/popp...ppit2-en_US.cab
O16 - DPF: Quick Quack by pogo - http://game1.pogo.com/applet-6.7.5.21/hots...treak-en_US.cab
O16 - DPF: Ride The Tide by pogo - http://game1.pogo.com/applet-6.8.0.25/ride/ride-en_US.cab
O16 - DPF: Shuffle Bump by pogo - http://game1.pogo.com/applet-6.7.5.21/puck/puck-en_US.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.8.0.32/spid...pider-en_US.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.8.0.32/swee...tooth-en_US.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.7.4.28/peaks/peaks-en_US.cab
O16 - DPF: Word Whomp by pogo - http://game1.pogo.com/applet-6.8.0.25/word...homp2-en_US.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Spyware Doctor Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: Spyware Doctor Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe



As far as how it's running... more often than not, the hard drive seems to be running *far* too long after a reboot. When I look at task manager, it appears nothing is going on. My browser sometimes stalls in trying to load a page, or takes forever to even start when that's going on.

Also, in Windows Security Center, it says "The security center is currently unavailable because the "Security Center" service has not started or was stopped." I can still manage the components.. firewall, antivirus, updates... just no center to give me alerts or to show me what's on at a glance.

#8 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 23 March 2007 - 11:21 AM

Regarding your Security Center, did you go to Start > Control Panel > Security Center and try to manually reset it?
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 deadlili

deadlili
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 23 March 2007 - 11:42 AM

Hi, Waterfalls

No matter how I get there, even if I've just rebooted, I have that same message. I don't see a way to reset it.

Also, since we last spoke, I've installed Comodo firewall. I wasn't comfortable with just the window's firewall.. especially with this going on. At least I know that Comodo is really on.

#10 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 23 March 2007 - 12:11 PM

Open Notepad and copy and paste the text inside the codebox into Notepad:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]
"Start"=dword:00000002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TlntSvr]
"Start"=dword:00000003

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate]
"DoNotAllowXPSP2"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
"AUOptions"=dword:00000002
"NoAutoUpdate"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile]
"EnableFirewall"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"restrictanonymous"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole]
"EnableDCOM"="Y"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"UpdatesDisableNotify"=-
"AntiVirusDisableNotify"=-
"FirewallDisableNotify"=-
"AntiVirusOverride"=-
"FirewallOverride"=-

- Save this as fix.reg -> choose to save as *all files -> and place it on your desktop.
- It should look like this: Posted Image
- Double-click on it and, when you are asked if you want to merge the contents to the registry, click YES/OK.

Reboot your computer!

Let me know if this worked.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#11 deadlili

deadlili
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 23 March 2007 - 12:25 PM

I did as you instructed, but it didn't fix it.

#12 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 23 March 2007 - 03:13 PM

Open Notepad and copy and paste the text inside the codebox into Notepad:

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=-

[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore]
"DisableConfig"=-
"DisableSR"=-

- Save this as fix.reg -> choose to save as *all files -> and place it on your desktop.
- It should look like this: Posted Image
- Double-click on it and, when you are asked if you want to merge the contents to the registry, click YES/OK.

Reboot your computer.

See if Task Manager is working and/or your Security Center.

If your Security Center is not working follow these steps:

1. Go to start > Run and copy/paste: NETSH FIREWALL RESET
- Click OK
- Wait till the DOS prompt (black window) closes again.
- Then look if you can access the firewall settings again.
If this doesn't work, go to step 2.

2. Go to start > Run and copy/paste: services.msc
- Click OK
- Search in the list for Windows Firewall/Internet Connection Sharing (ICS) <== if this isn't present, go to step 3.
- Click "stop" there.
- Click OK and close the window.

Then go back to your Control Panel and click: Windows Firewall
You should get an error then.. telling you that the service Windows Firewall/Internet Connection Sharing (ICS) is disabled/stopped and if you want to enable/start it.
Click Yes/ok
The service should be started again and you will be able to change settings in it.

3. (Only perform this if previous steps failed)
Download this regfix:
http://windowsxp.mvps.org/reg/sharedaccess.reg
- Place it on your desktop.
- Now double-click sharedaccess.reg
- Click YES/OK at the prompt.

Then REBOOT!! Important!

After reboot, go to Start > Run and copy/paste: NETSH FIREWALL RESET
- Click OK
- Wait till the DOS prompt (black window) closes again.
- Then look if you can access the firewall settings again.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#13 deadlili

deadlili
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 23 March 2007 - 04:01 PM

I tried all of the above and it's still not fixed. I'm going to try and attach a screenshot so you can see what I see. *crosses fingers*

Attached Files



#14 waterfalls

waterfalls

    Malware Exorcist


  • Members
  • 621 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:43 PM

Posted 24 March 2007 - 02:56 AM

Well, it looks like Norton may be the culprit here.

• Open Norton Anti-Virus > Norton Security Center tab
- Near the top right, click on Options
- Check the box Show Messages from Windows Security Center
- Click OK.

• Reboot your computer!

If that didn't work, I want you to double-check if the following Services listed below are set to Automatic and running because the Security Center depends on them, so:

• Go to Start > Run and copy/paste: services.msc > click OK
- Scroll down to each one of the following Services listed below. In the middle, where it says Startup Type, make sure it says Automatic
- If it does not, use the drop-down arrow to change it to "Automatic" > click Apply - OK
- Also, right below "Startup Type" it says Service Status - this should read Started.
- If it does not, click Start - click Apply.
- Click OK

Services for you to check:
* Event Log
* Remote Procedure Call (RPC)
* Windows Management Instrumentation

Then restart the Security Center service.

• Post back and let me know how it went.

Edited by waterfalls, 24 March 2007 - 02:58 AM.

Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#15 deadlili

deadlili
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:09:43 PM

Posted 24 March 2007 - 09:41 AM

Oh brother... I didn't even know that Norton had that setting. That was it. Thank you for your patience!

I also suspect that my startup time will greatly improve if I dump Norton.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users