Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Been Unhijaked and De-wormed... still some straglers......

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Been Unhijaked and De-wormed... still some straglers......

Unread postby tmages » August 21st, 2005, 5:45 pm

These things just won't go away..... the following have been used for cleaning:
Adaware, Spybot, Norton Antivirus, Webroot spy sweeper,a-squared, trend micro, and even tried the fixzotob( because I found a file that in my research was a part of this worm) The fix did not find anything.

All of these programs were run, found items, cleaned,quarantine cleared, and restarted with out the system restore on. Multiple times.

The occurance of pop ups have only slowed down.... HELP!!

Also running Firefox and Netscape 4 and 7 for Web Design purposes. All get pop up even with their respective pop up blockers.

Attached is my most recent Hijack this log.....Any ideas??

Logfile of HijackThis v1.99.1
Scan saved at 5:27:21 PM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ibaa\ohai.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tmages.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.tmages.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\zfy1lt5t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\zfy1lt5t.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [t77U36X] rciv_32.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Rsat] C:\Program Files\ibaa\ohai.exe
O4 - HKCU\..\Run: [cwo8RWbml] ravfctrs.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://www.pogo.com
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.2.66/a ... assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/b ... assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.2.51/b ... assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.1.5.21/c ... assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.1.1.29/e ... assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.1.1. ... assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.28/h ... assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.1.4.29/d ... assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.1.3.28/p ... assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/j ... assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.0.37/l ... assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.3.1.33/m ... assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/p ... assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.5.28/f ... assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.42/w ... assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.0.46/f ... assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.com/applet-6.2.1.41/p ... assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.3.0.53/p ... assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.27/p ... assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/s ... assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/s ... assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.2.4.32/s ... assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/h ... assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.3.0.46/p ... assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.1.26/j ... assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.3.28/ ... assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.2.51/w ... assets.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8638758687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4500309500
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/Web ... LRadio.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\mdxml3r.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Smlt\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP2.EXE
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\Conversions Plus\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
tmages
Active Member
 
Posts: 6
Joined: August 21st, 2005, 5:32 pm
Location: Cape Cod, Massachusetts
Advertisement
Register to Remove

Unread postby Mat2 » August 21st, 2005, 5:53 pm

Image & Welcome to MWR

I would be glad to help you with your computer problems. :)

HijackThis logs take awhile to research. Please be patient with me. I know that you want your problems solved quicky, and I will work hard to help you.

Please observe these rules while we work:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.

If you can do those two things, everything should go smoothly

Thanks
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby Mat2 » August 21st, 2005, 6:03 pm

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

Please go to:

  • start
  • control panel
  • add/remove programs

Find and remove these programs (if they are present)


  • Viewpoint Manager



Next please run HijackThis, click Do A System Scan Only, and check the following:

O4 - HKCU\..\Run: [Rsat] C:\Program Files\ibaa\ohai.exe
O4 - HKCU\..\Run: [cwo8RWbml] ravfctrs.exe

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Press Fix Checked, HJT will prompt you to confirm if you would like to remove those items, select Yes.

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.
2. Use the arrow key to select Safe Mode, and then press ENTER.
3. Use an arrow key to select an operating system and press ENTER.
4. When prompted whether you want your Windows to run in safe mode, click Yes.

  • Click Start
  • Open My Computer
  • Select the Tools menu and click Folder Options
  • Select the View Tab
  • Under the Hidden files and folders heading select Show hidden files and folders
  • Uncheck the Hide protected operating system files (recommended) option
  • Click Yes to confirm
  • Click OK



Search for and delete these folders (if present):

C:\Program Files\Viewpoint
C:\Program Files\ibaa


Search for and delete these files (if present):

ravfctrs.exe

Restart Windows back into normal mode and post back here a new HJT log. Thanks
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby tmages » August 21st, 2005, 6:41 pm

Wow! Thank you for the quick response!!

You all do a wonderfull thing here!!

Attached is the latest Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 6:36:44 PM, on 8/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tmages.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.tmages.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\zfy1lt5t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\zfy1lt5t.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [t77U36X] rciv_32.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lpsdxx.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://www.pogo.com
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.2.66/a ... assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/b ... assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.2.51/b ... assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.1.5.21/c ... assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.1.1.29/e ... assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.1.1. ... assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.28/h ... assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.1.4.29/d ... assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.1.3.28/p ... assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/j ... assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.0.37/l ... assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.3.1.33/m ... assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/p ... assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.5.28/f ... assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.42/w ... assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.0.46/f ... assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.com/applet-6.2.1.41/p ... assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.3.0.53/p ... assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.27/p ... assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/s ... assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/s ... assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.2.4.32/s ... assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/h ... assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.3.0.46/p ... assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.1.26/j ... assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.3.28/ ... assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.2.51/w ... assets.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8638758687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4500309500
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/Web ... LRadio.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\mdxml3r.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Smlt\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP2.EXE
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\Conversions Plus\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
tmages
Active Member
 
Posts: 6
Joined: August 21st, 2005, 5:32 pm
Location: Cape Cod, Massachusetts

Unread postby Mat2 » August 22nd, 2005, 2:55 am

Hi there, and welcome to the forums!

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.
2. Use the arrow key to select Safe Mode, and then press ENTER.
3. Use an arrow key to select an operating system and press ENTER.
4. When prompted whether you want your Windows to run in safe mode, click Yes.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lpsdxx.exe reg_run

Click on Fix Checked when finished and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\system32\lpsdxx.exe

Exit Explorer, and reboot as normal afterwards.

If you were unable to find any of the files then please follow these additional instructions:

Download Pocket Killbox and unzip it; save it to your Desktop.

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

Let the system reboot.

Post back a fresh HijackThis log and we will take another look.
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby tmages » August 22nd, 2005, 8:46 am

I still can't get over the quick response, it is GREATLY appreciated.
I think we're getting closer now.
here's the latest log.



Logfile of HijackThis v1.99.1
Scan saved at 8:39:28 AM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tmages.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.tmages.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\zfy1lt5t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\zfy1lt5t.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [t77U36X] rciv_32.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lpsdxx.exe reg_run
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://www.pogo.com
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.2.66/a ... assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/b ... assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.2.51/b ... assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.1.5.21/c ... assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.1.1.29/e ... assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.1.1. ... assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.28/h ... assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.1.4.29/d ... assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.1.3.28/p ... assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/j ... assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.0.37/l ... assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.3.1.33/m ... assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/p ... assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.5.28/f ... assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.42/w ... assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.0.46/f ... assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.com/applet-6.2.1.41/p ... assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.3.0.53/p ... assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.27/p ... assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/s ... assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/s ... assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.2.4.32/s ... assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/h ... assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.3.0.46/p ... assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.1.26/j ... assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.3.28/ ... assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.2.51/w ... assets.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8638758687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4500309500
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/Web ... LRadio.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\mdxml3r.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Smlt\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP2.EXE
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\Conversions Plus\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
tmages
Active Member
 
Posts: 6
Joined: August 21st, 2005, 5:32 pm
Location: Cape Cod, Massachusetts

Unread postby Mat2 » August 22nd, 2005, 10:45 am

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something


The first thing you need to do is the following:

Download the trial version of Ewido Security Suite. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

Boot into Safe Mode. To do this:

1. Reboot your computer.

2. Tap the F8 button as your computer is booting to bring you to an Advanced Options Menu.

3. Select Safe Mode and press Enter.

Next, run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
3. When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Run and scan with HijackThis. With all other browsers and windows closed, place a check beside the following and Fix:

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lpsdxx.exe reg_run

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby tmages » August 22nd, 2005, 7:29 pm

Hi Again!
Sorry took so long had to do the WORK thing... :(
Here are the latest logs....

Logfile of HijackThis v1.99.1
Scan saved at 7:21:10 PM, on 8/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Fast.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tmages.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.tmages.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\zfy1lt5t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\zfy1lt5t.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [t77U36X] rciv_32.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://www.pogo.com
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.2.66/a ... assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/b ... assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.2.51/b ... assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.1.5.21/c ... assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.1.1.29/e ... assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.1.1. ... assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.28/h ... assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.1.4.29/d ... assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.1.3.28/p ... assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/j ... assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.0.37/l ... assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.3.1.33/m ... assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/p ... assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.5.28/f ... assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.42/w ... assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.0.46/f ... assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.com/applet-6.2.1.41/p ... assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.3.0.53/p ... assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.27/p ... assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/s ... assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/s ... assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.2.4.32/s ... assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/h ... assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.3.0.46/p ... assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.1.26/j ... assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.3.28/ ... assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.2.51/w ... assets.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8638758687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4500309500
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/Web ... LRadio.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\mdxml3r.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Smlt\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP2.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\Conversions Plus\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

And the EWIDO log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:12:08 PM, 8/22/2005
+ Report-Checksum: 1FDEAF7D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Ignored
:mozilla.12:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Burstnet : Ignored
:mozilla.13:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Burstnet : Ignored
:mozilla.20:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.21:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.22:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.23:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Ignored
:mozilla.24:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.25:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.26:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Adserver : Ignored
:mozilla.39:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Questionmarket : Ignored
:mozilla.50:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.51:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.53:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.54:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Advertising : Ignored
:mozilla.56:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
:mozilla.57:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Casalemedia : Ignored
[704] C:\WINDOWS\system32\sssgffs.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\i8h5axqe.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\i8h5axqe.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\i8h5axqe.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\i8h5axqe.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\i8h5axqe.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Debbie\Application Data\Mozilla\Firefox\Profiles\i8h5axqe.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Ad-logics : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.127:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.144:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.145:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Clickzs : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.319:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.333:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.334:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Qksrv : Cleaned with backup
:mozilla.348:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.354:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.355:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.356:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.357:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.405:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.406:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Trafic : Cleaned with backup
:mozilla.420:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.421:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.422:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.423:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Valuead : Cleaned with backup
:mozilla.424:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.470:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.471:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.556:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.569:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.570:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.571:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.572:C:\Documents and Settings\Jim\Application Data\Mozilla\Firefox\Profiles\de7estpw.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Jim\Local Settings\Temp\tp7543.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\system32\pukvg.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\Temp\Cookies\jim@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\jim@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\jim@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
C:\WINDOWS\Temp\Cookies\jim@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\f24962140.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup


::Report End

As you can see I left some cookies.. I could not see the whole string in the window so I was not sure what they were.....

Thanks!!
tmages
Active Member
 
Posts: 6
Joined: August 21st, 2005, 5:32 pm
Location: Cape Cod, Massachusetts

Unread postby Mat2 » August 23rd, 2005, 4:52 am

Hi

You may want to print out these instructions or save them as a text file with Notepad to your desktop because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Read this instructions carefully and feel free to ask if you're unsure about something

Next please run HijackThis, click Do A System Scan Only, and check the following:

O4 - HKLM\..\Run: [t77U36X] rciv_32.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\mdxml3r.dll (file missing)


Press Fix Checked, HJT will prompt you to confirm if you would like to remove those items, select Yes.

1. Restart your computer. As your computer restarts, repeatedly press the F8 key on your keyboard until the Windows Advanced Options menu appears.
2. Use the arrow key to select Safe Mode, and then press ENTER.
3. Use an arrow key to select an operating system and press ENTER.
4. When prompted whether you want your Windows to run in safe mode, click Yes.

  • Click Start
  • Open My Computer
  • Select the Tools menu and click Folder Options
  • Select the View Tab
  • Under the Hidden files and folders heading select Show hidden files and folders
  • Uncheck the Hide protected operating system files (recommended) option
  • Click Yes to confirm
  • Click OK



Search for and delete these files (if present):

rciv_32.exe

Restart Windows back into normal mode and post back here a new HJT log. Image
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby tmages » August 23rd, 2005, 7:03 am

Here is the latest and greatest !!

Logfile of HijackThis v1.99.1
Scan saved at 7:01:13 AM, on 8/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\E_S00RP2.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Conversions Plus\FORMATM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\System32\fast.exe
C:\WINDOWS\System32\qttask.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Conversions Plus\MacName.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Fast.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tmages.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.tmages.com/"); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\zfy1lt5t.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Jim\Application Data\Mozilla\Profiles\default\zfy1lt5t.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\System32\fast.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\System32\qttask.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\Conversions Plus\MacLic.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: MacName.lnk = C:\Program Files\Conversions Plus\MacName.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npaudio.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted Zone: http://www.pogo.com
O16 - DPF: Aces Up! by pogo - http://game1.pogo.com/applet-6.2.2.66/a ... assets.cab
O16 - DPF: Backgammon by pogo - http://game1.pogo.com/applet-6.2.2.66/b ... assets.cab
O16 - DPF: Blackjack by pogo - http://game1.pogo.com/applet-6.2.2.51/b ... assets.cab
O16 - DPF: Chess by pogo - http://game1.pogo.com/applet-6.1.5.21/c ... assets.cab
O16 - DPF: Euchre by pogo - http://game1.pogo.com/applet-6.1.1.29/e ... assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-6.1.1. ... assets.cab
O16 - DPF: Harvest Mania by pogo - http://game1.pogo.com/applet-6.2.5.28/h ... assets.cab
O16 - DPF: High Stakes Poker by pogo - http://game1.pogo.com/applet-6.1.4.29/d ... assets.cab
O16 - DPF: High Stakes Pool by pogo - http://game1.pogo.com/applet-6.1.3.28/p ... assets.cab
O16 - DPF: Jigsaw Detective by pogo - http://game3.pogo.com/applet-6.0.2.21/j ... assets.cab
O16 - DPF: Lottso by pogo - http://game1.pogo.com/applet-6.2.0.37/l ... assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://game1.pogo.com/applet-6.3.1.33/m ... assets.cab
O16 - DPF: Pai Gow by pogo - http://game1.pogo.com/applet-6.2.1.34/p ... assets.cab
O16 - DPF: Payday FreeCell by pogo - http://game1.pogo.com/applet-6.2.5.28/f ... assets.cab
O16 - DPF: Perfect Pair Solitaire by pogo - http://game1.pogo.com/applet-6.2.5.42/w ... assets.cab
O16 - DPF: Phlinx by pogo - http://game1.pogo.com/applet-6.3.0.46/f ... assets.cab
O16 - DPF: Pinochle by pogo - http://game4.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: Pirate's Gold by pogo - http://game1.pogo.com/applet-6.2.1.41/p ... assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: PoppaZoppa by pogo - http://game1.pogo.com/applet-6.3.0.53/p ... assets.cab
O16 - DPF: Poppit by pogo - http://game1.pogo.com/applet-6.2.1.27/p ... assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.1.29/p ... assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game1.pogo.com/applet-6.2.1.27/s ... assets.cab
O16 - DPF: Squelchies by pogo - http://game1.pogo.com/applet-6.2.2.51/s ... assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://game1.pogo.com/applet-6.2.4.32/s ... assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://game1.pogo.com/applet-6.2.0.37/h ... assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game1.pogo.com/applet-6.3.0.46/p ... assets.cab
O16 - DPF: Tumble Bees by pogo - http://game1.pogo.com/applet-6.3.1.26/j ... assets.cab
O16 - DPF: Video Poker by pogo - http://vpoker.pogo.com/applet-6.0.3.28/ ... assets.cab
O16 - DPF: WordJong by pogo - http://game1.pogo.com/applet-6.2.2.51/w ... assets.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... 0-3-12.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 8638758687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 4500309500
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/Web ... LRadio.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsup ... veData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Smlt\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: EPSON V3 Service2(02) (EPSON_PM_RPCV2_02) - SEIKO EPSON CORPORATION - C:\WINDOWS\System32\E_S00RP2.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: MacFormatService - Unknown owner - C:\Program Files\Conversions Plus\FORMATM.EXE" /SERVICE (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

:)
tmages
Active Member
 
Posts: 6
Joined: August 21st, 2005, 5:32 pm
Location: Cape Cod, Massachusetts

Unread postby Mat2 » August 23rd, 2005, 8:29 am

Hi

This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-

Hide System Files

  1. Click Start.
  2. Open My Computer.
  3. SelectTools menu
  4. Click Folder Options.
  5. Select the View Tab.
  6. Uncheck Show hidden files and foldersin the Hidden files and folders section.
  7. Select Hide protected operating system files (recommended) option.
  8. Check the Hide file extensions for known file types option.
  9. Click Yes.
  10. Click OK.



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:


Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.

Click once on the Security tab

Click once on the Internet icon so it becomes highlighted.

Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialise and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Download Adaware

Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this

The program is available for download here

Download Spybot

Spybot is a scanner like adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and pretection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
To see how to set this up as well as more spybot features, see here

Spybot can be downloaded from here

Download SpywareBlaster

Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here

You can download SpywareBlaster here

Download iespyad

It puts many bad webpages on your restricted zones list. This means that you can still view the "bad" webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here

Download it from here

hosts file:

o Every version of windows has a hosts file as part of them.
o In a very basic sense, they are used to locate webpages.
o We can customize a hosts file so that it blocks certain webpages.
o However, it can slow down certain computers.
o This is why using a hosts file is optional!!

Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here

If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:

Click the start button (at the lower left hand corner of your screen)
Click run
In the dialog box, type services.msc
hit enter, then locate dns client
Highlight it, then double-click it.
On the dropdown box, change the setting from automatic to manual.
Click ok

Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below

Software Firewalls

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:

Antivirus Software

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Visit Microsoft's Windows Update Site Frequently - It is important that you visit Windows Update Site regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby tmages » August 24th, 2005, 7:02 am

:D Wonderful !!!!

Thank you so much for the recommendations. I have installed them to prevent future problems.

Thank you and everyone here, you all do such wonderfull work!!!

Take care,
Deb and Jim

:D :) :D :)
tmages
Active Member
 
Posts: 6
Joined: August 21st, 2005, 5:32 pm
Location: Cape Cod, Massachusetts

Unread postby Mat2 » August 24th, 2005, 8:59 am

Image


Take Care & Happy Computing.


Image
User avatar
Mat2
Retired Graduate
 
Posts: 1003
Joined: May 29th, 2005, 4:41 am
Location: Behind The Server

Unread postby NonSuch » September 14th, 2005, 4:21 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27304
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 44 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware