Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked - Trojans, CWS, others


  • This topic is locked This topic is locked
4 replies to this topic

#1 doubled

doubled

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 13 January 2005 - 12:17 AM

Troubleshooting a laptop that was getting hammered with pop-ups.
Ran Ad-aware SE, with latest update. found about 400 items to remove.
Ran CW Shredder. Got a message:
You have a varient of the coolwebsearch trojan (cws.smartsearch.2) that has attempted to close CWShredder. Finished running and removed a couple of items.
Was getting closer... downloaded latest version of AboutBuster, ran, update and found nothing to remove.
Done several other things and now down to this HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 11:22:45 PM, on 1/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\hjt\HijackThis.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: kykihf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A097F11-3CE3-4C7E-BC5F-067266068BFF}: NameServer = 35.8.2.41,35.8.2.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = msu.edu,cl.msu.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A097F11-3CE3-4C7E-BC5F-067266068BFF}: NameServer = 35.8.2.41,35.8.2.42
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = msu.edu,cl.msu.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{3A097F11-3CE3-4C7E-BC5F-067266068BFF}: NameServer = 35.8.2.41,35.8.2.42
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = msu.edu,cl.msu.edu
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Not sure if everything has been removed or safe... just before this ran Ad-aware again and it game up with 136 items to remove. So I have to believe there is more to do. Please step me through the process that I should be following to get this laptop up and running.
Thanks in advance.
Daniel



Thought there was something still lurking about...
reboot in safe mode, ran Ad-aware again, found 7 items. And got the following message:
Some objects could not be removed, c:\windows\system32\izines.dll, reboot and run ad-aware again.

After reboot no objects were found.

Ran HJT and the following was added to the list:
Global Startup: kykihf.exe

Will reboot and post latest log.


--------------------

Here is the latest log:

Logfile of HijackThis v1.99.0
Scan saved at 12:16:54 AM, on 1/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\hjt\HijackThis.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\vyvgwq.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: kykihf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A097F11-3CE3-4C7E-BC5F-067266068BFF}: NameServer = 35.8.2.41,35.8.2.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = msu.edu,cl.msu.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A097F11-3CE3-4C7E-BC5F-067266068BFF}: NameServer = 35.8.2.41,35.8.2.42
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = msu.edu,cl.msu.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{3A097F11-3CE3-4C7E-BC5F-067266068BFF}: NameServer = 35.8.2.41,35.8.2.42
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = msu.edu,cl.msu.edu
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe




--------------------
Another oddity... When I go to empty the recycle bin, there is nothing in it, but when I select Empty Recycle Bin, it asks Are you sure you want to delete these 7 items? I select yes, but it never deletes the items.
Any suggestions?


--------------------
Here is a log from a run of BitDefender:

C:\Program Files\Common Files\CMEII\GDwldEng.dll: infected with Adware.Gator.A
C:\Program Files\Common Files\CMEII\GDwldEng.dll: disinfection failed
C:\Program Files\Common Files\CMEII\GIoclClient.dll: infected with Adware.Gator.A
C:\Program Files\Common Files\CMEII\GIoclClient.dll: disinfection failed
C:\Program Files\Common Files\CMEII\GStore.dll: infected with Adware.Gator.A
C:\Program Files\Common Files\CMEII\GStore.dll: disinfection failed
C:\WINDOWS\nnodsx.dll: suspect Trojan.Downloader.Small.Gen
C:\WINDOWS\nnodsx.dll: disinfection failed
C:\WINDOWS\SStb.exe=>(NSIS o)=>zlib_nsis0002: suspect Trojan.Downloader.Small.Gen
C:\WINDOWS\SStb.exe=>(NSIS o)=>zlib_nsis0002: disinfection failed
C:\WINDOWS\system32\aklsp.dll: infected with Trojan.Downloader.Agent.BR
C:\WINDOWS\system32\aklsp.dll: deleted
C:\WINDOWS\system32\akrules.dll: infected with Trojan.Downloader.Agent.BT
C:\WINDOWS\system32\akrules.dll: disinfection failed
C:\WINDOWS\system32\akupd.dll: infected with Trojan.Downloader.Agent.BR
C:\WINDOWS\system32\akupd.dll: deleted
C:\WINDOWS\system32\calsp.dll: infected with Trojan.Downloader.Agent.BR
C:\WINDOWS\system32\calsp.dll: deleted
C:\WINDOWS\system32\lglqci.dll: infected with Trojan.Downloader.Qoologic.D
C:\WINDOWS\system32\lglqci.dll: deleted


--------------------

TrendMicro log:

TROJ AGENT.BT not cleanable c:\windows\system32\akrules.dll
TROJ NARRATOR.A not cleanable c:\windows\system32\lplahx.exe

How do I get rid of these?

BC AdBot (Login to Remove)

 


#2 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:20 PM

Posted 14 January 2005 - 02:20 PM

Download Find It NT-2K-XP.zip.

Unzip the contents of Find It NT-2K-XP.zip to a folder, for example c:\findit

Navigate to the c:\findit folder and double-click on find.bat.
A command prompt will open and it will search your computer for malicious files. Let it finish. It could take 5 - 10 minutes.

Once it has finished a Notepad window will pop up with output.txt.
Copy the entire contents of output.txt into your next post.

Please do not try to remove any files.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#3 doubled

doubled
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:20 PM

Posted 14 January 2005 - 02:42 PM

Thanks for the reply. I decided to attempt and use the Microsoft AntiSpyware beta that they posted on their website.



Download and ran it. It found several things:
Here is the log: I delete the files names that it listed... it was LONG, with the gator stuff it found. It removed everything but two things,
Trojan.Unclassified.ContextMenuHandler.A
Vx2.Narrator

Spyware Scan Details
Start Date: 1/13/2005 12:16:33 PM
End Date: 1/13/2005 12:35:31 PM
Total Time: 18 mins 58 secs

Detected Threats

eXact.ISEXEng Trojan more information...
Details: eXact.ISEXEng is a Trojan Windows service installed by BargainBuddy and CashBack.
Status: Removed
Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.
Infected registry keys/values detected


Vx2.Narrator Toolbar more information...
Details: Related to the VX2 Transponder.
Status: Removed
Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.
Infected files detected
Infected registry keys/values detected


AvenueMedia.DyFuCA Browser Plug-in more information...
Details: AvenueMedia DyFuCA Internet Optimizer is adware that changes your browser error page. It periodically displays pop-up advertisements from its remote sites and may update itself.
Status: Removed
Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.
Infected registry keys/values detected


Topconverting Crazywinnings Adware more information...
Details: Topconverting Crazywinnings installs via online games through ActiveX drive-by-download.
Status: Removed
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.
Infected folders detected
Infected registry keys/values detected


IEMenuExtension Toolbar Adware more information...
Details: IEMenuExtension Toolbar is an adware toolbar that installers as an Internet Explorer Web browser.
Status: Removed
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.
Infected files detected


Trojan.Unclassified.ContextMenuHandler.A Trojan more information...
Details: This trojan installs as a context menu handler in Windows. It uses a 6 character random name on installation. ******.dll, it also will use a random 6 character Project Name ******.class to identify itself.
Status: Removed
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.
Infected files detected
Infected registry keys/values detected


AdDestroyer Adware more information...
Details: AdDestroyer is promoted as a spyware remover. However, it sets itself to run when you start the computer and remains memory-resident. When it runs, the software periodically attempts to contact a server to download updates and instructions.
Status: Removed
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.
Infected files detected
Infected folders detected


eXact.BargainBuddy Adware more information...
Details: BargainBuddy is a Browser Helper Object that watches the pages your browser requests and the terms you enter into a search engine web form. If a term matches a preset list of sites or keywords, BargainBuddy will display an ad.
Status: Removed
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.
Infected files detected


DownloadWare Adware more information...
Details: DownloadWare downloads and installs software from advertisers. It runs at Windows startup, and, if a network connection is available, it connects to its servers. It can be installed through an ActiveX control.
Status: Removed
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.
Infected registry keys/values detected


WebSearch Toolbar Browser Plug-in more information...
Details: WebSearch Toolbar is an Internet Explorer search redirector.
Status: Removed
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.
Infected registry keys/values detected


NetworkEssentials Browser Plug-in more information...
Details: Network Essentials is an Internet Explorer browser helper object that monitors URLs being viewed in the Web browser.
Status: Removed
High threat - High risk threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction. May open up communication ports, use polymorphic tactics, stealth installations, and/or anti-spy counter measures. May us a security flaw in the operating system to gain access to your computer.
Infected registry keys/values detected


BrowserVillage Toolbar Adware more information...
Status: Removed
Elevated threat - Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.
Infected registry keys/values detected


BrilliantDigital Adware more information...
Details: BrilliantDigital displays multimedia advertisements.
Status: Removed
Elevated threat - Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.
Infected files detected


Claria Adware more information...
Details: Claria (Gator) may automatically fill in passwords and other information on Web forms. Its main purpose is to load an advertising module called OfferCompanion that displays pop-up advertisements when you visit some Web sites.
Status: Removed
Elevated threat - Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.
Infected files detected
Infected folders detected


GAIN Adware more information...
Details: GAIN (Gator) automatically fills in passwords and other elements on Web forms. Its main purpose is to install an advertising module called OfferCompanion, which displays pop-up advertisements when you view certain Web sites.
Status: Removed
Elevated threat - Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.
Infected files detected
Infected folders detected


Virtual Bouncer Adware more information...
Details: Virtual Bouncer claims to be a spyware remover, and it actually detects a few.
Status: Removed
Moderate threat - Moderate threats may profile users online habits or broadcast data back to a server with 'opt-out' permission. In most cases this type of threat is more along the lines of commercial type adware that offer a premium service in exchange for tracking your user online performance.
Infected files detected
Infected folders detected


Detected Spyware Cookies
No spyware cookies were found during this scan.

====================================

I also used the following to clear out the files (the ones that would not show up and would not delete in the Recycle Bin).

Select Run... from the start menu
Type in the following:
attrib c:\recycler -h -s
del c:\recycler

Reboot and select Empty Recycle Bin and it worked.

====================================

After running MS AntiSpyware beta, I ran Ad-aware while in safe mode. It removed the files that would not be removed. Looks like things may be cleared up for now.

Here is my hjt log:
Logfile of HijackThis v1.99.0
Scan saved at 12:03:20 AM, on 1/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\QUICKENW\QWDLLS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hjt\HijackThis.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A097F11-3CE3-4C7E-BC5F-067266068BFF}: NameServer = 35.8.2.41,35.8.2.42
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = msu.edu,cl.msu.edu
O17 - HKLM\System\CS1\Services\Tcpip\..\{3A097F11-3CE3-4C7E-BC5F-067266068BFF}: NameServer = 35.8.2.41,35.8.2.42
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = msu.edu,cl.msu.edu
O17 - HKLM\System\CS2\Services\Tcpip\..\{3A097F11-3CE3-4C7E-BC5F-067266068BFF}: NameServer = 35.8.2.41,35.8.2.42
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = msu.edu,cl.msu.edu
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#4 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:20 PM

Posted 14 January 2005 - 02:49 PM

:thumbsup: I didn't ask for these logs.
Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#5 Daisuke

Daisuke

    Cleaner on Duty


  • Members
  • 5,575 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania
  • Local time:08:20 PM

Posted 13 February 2005 - 03:29 AM

Due to the lack of feedback this topic is closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users