Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Logfile of HijackThis v1.99.1

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Logfile of HijackThis v1.99.1

Unread postby cathdeb » November 14th, 2005, 2:20 am

HP Support had me do a system recovery to factory settings as among other things my computer would not shut down.Could someone please check this for me.

Logfile of HijackThis v1.99.1
Scan saved at 1:13:52 AM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... pf=desktop
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 1936912562
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida
Advertisement
Register to Remove

Unread postby askey127 » November 14th, 2005, 5:35 pm

Cathdeb,
There is not much of anything wrong with your log.
Are you having a specific problem, or just checking?
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:
You can remove the Realtek Audio tracking stuff like so, if you wish. This is not a major problem.
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

This program has bugs and may be troublesome, but is not malware. If you wish, check it so it does not start automatically
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
Make sure all other windows except HJT are closed, and Click Fix Checked.
-----------------------------------------------------------
Do you want to look deeper into the system?

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

re:

Unread postby cathdeb » November 14th, 2005, 9:22 pm

Hello,
something is chging my settings.I don,t think it is so much as a virus but that someone is remotely accessing my computer.Iam also finding new files on my computer that I haven't created.Do you know of a web site I could go on to learn about what to look for in the regisry? any help would be greatlly appreciated.
cathdeb
a.k.a Debbie
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

Unread postby askey127 » November 14th, 2005, 10:01 pm

Cathdeb,
I'm concerned about a rootkit infection here. Don't surf the internet any more than necessary while we continue with this.
You may want to print this out or save it to a Notepad file on your desktop, as you will not have Internet access in Safe mode.
-----------------------------------------------------------
Download and install CCleaner from here.
Run CCleaner.
( Do not use the Issues block )
Click on the Options block on the left. Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".
Click on the Cleaner block on the left. Choose the Windows tab.
Check everything Except Cookies, Autocomplete Form History, and the Advanced part of the Menu.
Click the Run Cleaner button. This process could take a while.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit.
-----------------------------------------------------------
Download F-Secure's trial Blacklight program :
http://www.f-secure.com/blacklight/try.shtml
Print out the help page for guidance.
Ok the license.
Check scan through Windows Explorer
Click Scan
When animated graphics disappears, click Next
Note any files and their locations that appear in the output summary.
-----------------------------------------------------------
Please download, install, and update the free trial version of Ewido trojan scanner: from here : http://www.ewido.net/en/download/
There is an unofficial set of instructions in pdf format here : http://www.greyknight17.com/spy/Tutorials/ewidoQuickGuide.pdf
* Install ewido security suite
* When installing, under "Additional Options", Uncheck "Install background guard" and Uncheck "Install scan via context menu".
* Launch ewido, there should now be an icon on your desktop. Double-click it.
* The program will go to its main screen
* On the left hand side of the main screen click Update.
* Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can also use the same download link http://www.ewido.net/en/download/ to manually update ewido.
-----------------------------------------------------------
Start Your Computer in Safe Mode.
Reboot into Safe Mode by hitting the F8 key repeatedly as the machine boots, until a menu shows up. Choose Safe Mode from the list.
In some systems, this may be the F5 key, so try that if F8 doesn't work.
-----------------------------------------------------------
Close all open windows/programs/folders. Have Nothing else open while ewido performs its scan!.
It's extremely important not to open any windows while the scan is in progress.
Now Run Ewido
* Click on scanner
* Click on Settings
* Under "How to scan" all boxes should be selected
* Under "Possibly unwanted software" all boxes should be selected
* Under "What to scan" select scan every file
* Click OK
* Click on Complete system scan
* Let the program scan the machine
* If ewido finds anything, it will pop up a notification.
* Let it fix whatever it finds
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
* Click Save report
* Save the report to your desktop
* Exit ewido
When you compose your reply, paste the contents of the report into it..

To summarize, we need any items reported by Blacklight, and the report from Ewido.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

please help!

Unread postby cathdeb » November 16th, 2005, 1:17 am

I have been having problems in completing the instructions you left for me.my settings keep chging even in norton.and the computer will not go into safe mode.i've tried serveral time.when i first ran ewido it did find one infected virus and i think it called it malwarewhen i typed malware.com in address bar this is what it showed

enter |



The examination of security on the internet

Quick Summary:

RealNetworks RealPlayer Drag And Drop Zone Bypass Vulnerability
http://www.securityfocus.com/bid/12410
Microsoft Internet Explorer Search Pane URI Obfuscation Vulnerability
http://www.securityfocus.com/bid/11851
Microsoft Internet Explorer HTML Help Control Local Zone Security Restriction Bypass Vulnerability
http://www.securityfocus.com/bid/11467
Microsoft Internet Explorer Valid File Drag and Drop Embedded Code Vulnerability
http://www.securityfocus.com/bid/11466
Microsoft Outlook Express Plaintext Email Security Policy Bypass Vulnerability
http://www.securityfocus.com/bid/11447
Microsoft Internet Explorer MHTML Content-Location Cross Security Domain Scripting Vulnerability
http://www.securityfocus.com/bid/10979
Microsoft Internet Explorer Implicit Drag and Drop File Installation Vulnerability
http://www.securityfocus.com/bid/10973
Microsoft Internet Explorer Shell.Application Object Script Execution Weakness
http://www.securityfocus.com/bid/10652
Trend Micro Scanning Engine Report Generation HTML Injection Vulnerability
http://www.securityfocus.com/bid/10456
Microsoft Outlook 2003 Media File Script Execution Vulnerability
http://www.securityfocus.com/bid/10369
Microsoft Outlook Mail Client E-mail Address Verification Weakness
http://www.securityfocus.com/bid/10323
Microsoft Internet Explorer Embedded Image URI Obfuscation Weakness
http://www.securityfocus.com/bid/10308
Microsoft Outlook 2003 Predictable File Location Weakness
http://www.securityfocus.com/bid/10307
Microsoft Internet Explorer HTML Form Status Bar Misrepresentation Vulnerability
http://www.securityfocus.com/bid/10023
Multiple Outlook/Outlook Express Predictable File Location Weaknesses
http://www.securityfocus.com/bid/9709
Microsoft Internet Explorer CLSID File Extension Misrepresentation Vulnerability
http://www.securityfocus.com/bid/9510
Microsoft Windows XP Explorer Self-Executing Folder Vulnerability
http://www.securityfocus.com/bid/9487
Microsoft Internet Explorer Malicious Shortcut Self-Executing HTML Vulnerability
http://www.securityfocus.com/bid/9335
L-Soft Listserv Multiple Cross-Site Scripting Vulnerabilities
http://www.securityfocus.com/bid/9307
Microsoft Internet Explorer Self Executing HTML Arbitrary Code Execution Vulnerability
http://www.securityfocus.com/bid/8984
Microsoft Internet Explorer XML Page Object Type Validation Vulnerability
http://www.securityfocus.com/bid/8565
Microsoft Internet Explorer Browser Popup Window Object Type Validation Vulnerability
http://www.securityfocus.com/bid/8556
Microsoft Outlook Express Script Execution Weakness
http://www.securityfocus.com/bid/8281
Microsoft Windows Media Player IE Zone Access Control Bypass Vulnerability
http://www.securityfocus.com/bid/8263
Microsoft Windows Media Player Automatic File Download and Execution Vulnerability
http://www.securityfocus.com/bid/7640
Microsoft Internet Explorer Self Executing HTML File Vulnerability
http://www.securityfocus.com/bid/6961
Microsoft Outlook and Outlook Express Arbitrary Program Execution Vulnerability
http://www.securityfocus.com/bid/6923
ZyXEL DSL Modem Default Remote Administration Password Vulnerability
http://www.securityfocus.com/bid/6671
Microsoft Windows Media Player File Attachment Script Execution Vulnerability
http://www.securityfocus.com/bid/5543
Microsoft Outlook Express MHTML URL Handler File Rendering Vulnerability
http://www.securityfocus.com/bid/5473
Microsoft Internet Explorer File Attachment Script Execution Vulnerability
http://www.securityfocus.com/bid/5450
Microsoft Outlook Express XML File Attachment Script Execution Vulnerability
http://www.securityfocus.com/bid/5350
Microsoft Temporary Internet File Execution Vulnerability
http://www.securityfocus.com/bid/4387
Brian Dorricott MAILTO Unauthorized Mail Server Use Vulnerability
http://www.securityfocus.com/bid/3669
Microsoft Outlook Express 6 Plain Text Message Script Execution Vulnerability
http://www.securityfocus.com/bid/3334
Outlook Express 6 Attachment Security Bypass Vulnerability
http://www.securityfocus.com/bid/3271
Qualcomm Eudora Hidden Attachment Execution Vulnerability
http://www.securityfocus.com/bid/2796
Opera Web Browser 5 Warning Dialogue Bypass Vulnerability
http://www.securityfocus.com/bid/2647
Rit Research Labs "The Bat!" Concealed Attachment Vulnerability
http://www.securityfocus.com/bid/2530
Qualcomm Eudora 'Use Microsoft Viewer' Code Execution Vulnerability
http://www.securityfocus.com/bid/2490
Microsoft Outlook Concealed Attachment Vulnerability
http://www.securityfocus.com/bid/2260
Microsoft Internet Explorer and Outlook/Outlook Express Remote File Write Vulnerability
http://www.securityfocus.com/bid/1394
Microsoft Active Movie Control Filetype Vulnerability
http://www.securityfocus.com/bid/1221
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

Unread postby askey127 » November 16th, 2005, 6:34 am

Cathdeb,
Try to download and run Blacklight.

If the machine won't go into Safe mode, run Ewido from Normal mode and save the report.

From Start, All Programs, Accessories, Command prompt type in chkdsk c:
Let it scan, and note whether it finds any corrupt sectors.

Have your hardware scanned at http://www.pcpitstop.com.
In the first paragraph of the page, click full PC tuneup, follow directions, including registering, and let it run a scan. This can find hardware related difficulties.

Try all of the above and let me know what happens.
askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

reply

Unread postby cathdeb » November 17th, 2005, 9:50 am

hello askey 127

when i did the disk check it would not complete the last stage.do you know
why i can't go into safe mode?what the reasons could be.when i went to pcpitstop it showed me adjustments that i needed to make,which i did.
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

Unread postby askey127 » November 17th, 2005, 11:02 am

Cathdeb,

What were the results from Blacklight?
If you didn't note results, run it again, and be sure to WAIT for it to finish.
-----------------------------------------------------------
Run chkdsk so it fixes what it finds.
Click on Start, Programs, Accessories, Command Prompt.
When the black DOS window appears, type chkdsk c: /F
When it finishes the 3-stage scan, notice if it finds any new bad files or sectors.
If it finds anything defective, write down what it is, and include it in your reply.
If it then asks whether it should unload the volume because it cannot fix, etc. from a volume in use, tell it to do so and let it reboot .

Click the window "X" to exit the command window.

To summarize, I'm looking for the blacklight results and notes from what chkdsk says.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

reply

Unread postby cathdeb » November 18th, 2005, 8:31 am

I feel as though there is a battle between me and the computer.It has been difficult as some of my settings have been disable/changed.iam saw a file that says online backup on my start menu.I will follow insructions and post back the results.I found this on my computer.I am not sure what
it is I am having problem with intel graphics display
{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fswiss\fcharset0 Arial;}}
{\*\generator Msftedit 5.41.15.1507;}\viewkind4\uc1\pard\f0\fs20 **** Run Keys ****\par
\par
RUN: [ehTray] C:\\WINDOWS\\ehome\\ehtray.exe \par
RUN: [SunJavaUpdateSched] C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe \par
RUN: [hpsysdrv] c:\\windows\\system\\hpsysdrv.exe \par
RUN: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe \par
RUN: [HotKeysCmds] C:\\WINDOWS\\system32\\hkcmd.exe \par
RUN: [AGRSMMSG] AGRSMMSG.exe \par
RUN: [HPHUPD06] c:\\Program Files\\HP\\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D\}\\hphupd06.exe \par
RUN: [HPHmon06] C:\\WINDOWS\\system32\\hphmon06.exe \par
RUN: [KBD] C:\\HP\\KBD\\KBD.EXE \par
RUN: [TkBellExe] "C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe" -osboot \par
RUN: [iTunesHelper] C:\\Program Files\\iTunes\\iTunesHelper.exe \par
RUN: [Recguard] C:\\WINDOWS\\SMINST\\RECGUARD.EXE \par
RUN: [ccApp] "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe" \par
RUN: [PS2] C:\\WINDOWS\\system32\\ps2.exe \par
RUN: [SoundMan] SOUNDMAN.EXE \par
RUN: [AlcWzrd] ALCWZRD.EXE \par
RUN: [Alcmtr] ALCMTR.EXE \par
RUN: [LSBWatcher] c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe \par
RUN: [Reminder] "C:\\Windows\\Creator\\Remind_XP.exe" \par
RUN: [Symantec NetDriver Monitor] C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer \par
RUN: [ctfmon.exe] C:\\WINDOWS\\system32\\ctfmon.exe \par
\par
\par
**** Browser Helper Objects ****\par
\par
BHO: [AcroIEHlprObj Class] C:\\Program Files\\Adobe\\Acrobat 6.0\\Reader\\ActiveX\\AcroIEHelper.dll \par
BHO: [CNavExtBho Class] c:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\NavShExt.dll \par
\par
\par
**** IE Toolbars ****\par
\par
TOOLBAR: [HP view] c:\\Program Files\\HP\\Digital Imaging\\bin\\HPDTLK02.dll \par
TOOLBAR: [HP view] c:\\Program Files\\HP\\Digital Imaging\\bin\\HPDTLK02.dll \par
TOOLBAR: [Norton AntiVirus] c:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\NavShExt.dll \par
\par
\par
**** IE Extensions ****\par
\par
IEExt: [] \par
IEExt: [Research] \par
IEExt: [Messenger] C:\\Program Files\\Messenger\\msmsgs.exe \par
\par
\par
**** Hosts File Entries ****\par
\par
HOSTS: 127.0.0.1 localhost \par
HOSTS: 127.0.0.1 localhost \par
\par
\par
**** IE Settings ****\par
\par
Default Page: http://www.microsoft.com/isapi/redir.dl ... ar=msnhome \par
Default Search: http://www.microsoft.com/isapi/redir.dl ... r=iesearch \par
Local Page: C:\\WINDOWS\\system32\\blank.htm \par
\par
\par
**** IE Context Menu (Right click) ****\par
\par
IEContext: [E&xport to Microsoft Excel] res://C:\\PROGRA~1\\MI1933~1\\OFFICE11\\EXCEL.EXE/3000 \par
\par
\par
**** Layered Service Providers ****\par
\par
LSP: MSAFD Tcpip [TCP/IP] \par
LSP: MSAFD Tcpip [UDP/IP] \par
LSP: RSVP UDP Service Provider \par
LSP: RSVP TCP Service Provider \par
LSP: MSAFD NetBIOS [\\Device\\NetBT_Tcpip_\{E845D547-BD08-4CB5-9C15-4A33A4C4DC91\}] SEQPACKET 3 \par
LSP: MSAFD NetBIOS [\\Device\\NetBT_Tcpip_\{E845D547-BD08-4CB5-9C15-4A33A4C4DC91\}] DATAGRAM 3 \par
LSP: MSAFD NetBIOS [\\Device\\NetBT_Tcpip_\{FA57B34C-C58A-4CA7-9065-B59CAE2E04FB\}] SEQPACKET 0 \par
LSP: MSAFD NetBIOS [\\Device\\NetBT_Tcpip_\{FA57B34C-C58A-4CA7-9065-B59CAE2E04FB\}] DATAGRAM 0 \par
LSP: MSAFD NetBIOS [\\Device\\NetBT_Tcpip_\{2B3999CB-5BFE-4553-83F7-E5D98A305455\}] SEQPACKET 7 \par
LSP: MSAFD NetBIOS [\\Device\\NetBT_Tcpip_\{2B3999CB-5BFE-4553-83F7-E5D98A305455\}] DATAGRAM 7 \par
LSP: MSAFD NetBIOS [\\Device\\NetBT_Tcpip_\{806D2A77-DA02-437A-8697-82CEA873675A\}] SEQPACKET 1 \par
LSP: MSAFD NetBIOS [\\Device\\NetBT_Tcpip_\{806D2A77-DA02-437A-8697-82CEA873675A\}] DATAGRAM 1 \par
LSP: MSAFD NetBIOS [\\Device\\NetBT_Tcpip_\{5AB0B083-40AF-4683-96A9-1B28EF6F403D\}] SEQPACKET 2 \par
LSP: MSAFD NetBIOS [\\Device\\NetBT_Tcpip_\{5AB0B083-40AF-4683-96A9-1B28EF6F403D\}] DATAGRAM 2 \par
\par
\par
**** Blocked Control Panel Items ****\par
\par
BLOCKED: [ncpa.cpl] No \par
BLOCKED: [odbccp32.cpl] No \par
\par
\par
**** Downloaded Program Files ****\par
\par
\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3\} [http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1131936912562] C:\\WINDOWS\\system32\\muweb.dll \par
\{8AD9C840-044E-11D1-B3E9-00805F499D93\} [http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab] \par
\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA\} [http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab] \par
\par
\par
**** Windows Services ****\par
\par
[Alerter] %SystemRoot%\\system32\\svchost.exe -k LocalService \par
[ALG] %SystemRoot%\\System32\\alg.exe \par
[AppMgmt] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[aspnet_state] %SystemRoot%\\Microsoft.NET\\Framework\\v1.1.4322\\aspnet_state.exe \par
[AudioSrv] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[BITS] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[Browser] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[ccEvtMgr] "c:\\Program Files\\Common Files\\Symantec Shared\\ccEvtMgr.exe" \par
[ccProxy] "c:\\Program Files\\Common Files\\Symantec Shared\\ccProxy.exe" \par
[ccPwdSvc] "c:\\Program Files\\Common Files\\Symantec Shared\\ccPwdSvc.exe" \par
[ccSetMgr] "c:\\Program Files\\Common Files\\Symantec Shared\\ccSetMgr.exe" \par
[CiSvc] %SystemRoot%\\system32\\cisvc.exe \par
[ClipSrv] %SystemRoot%\\system32\\clipsrv.exe \par
[COMSysApp] C:\\WINDOWS\\system32\\dllhost.exe /Processid:\{02D4B3F1-FD88-11D1-960D-00805FC79235\} \par
[CryptSvc] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[DcomLaunch] %SystemRoot%\\system32\\svchost -k DcomLaunch \par
[Dhcp] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[dmadmin] %SystemRoot%\\System32\\dmadmin.exe /com \par
[dmserver] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[Dnscache] %SystemRoot%\\system32\\svchost.exe -k NetworkService \par
[ehRecvr] C:\\WINDOWS\\eHome\\ehRecvr.exe \par
[ehSched] C:\\WINDOWS\\eHome\\ehSched.exe \par
[ERSvc] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[Eventlog] %SystemRoot%\\system32\\services.exe \par
[EventSystem] C:\\WINDOWS\\system32\\svchost.exe -k netsvcs \par
[ewido security suite control] C:\\Program Files\\ewido\\security suite\\ewidoctrl.exe \par
[ewido security suite guard] C:\\Program Files\\ewido\\security suite\\ewidoguard.exe \par
[FastUserSwitchingCompatibility] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[Fax] %systemroot%\\system32\\fxssvc.exe \par
[helpsvc] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[HidServ] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[HTTPFilter] %SystemRoot%\\System32\\svchost.exe -k HTTPFilter \par
[ImapiService] C:\\WINDOWS\\system32\\imapi.exe \par
[iPodService] "C:\\Program Files\\iPod\\bin\\iPodService.exe" \par
[ISSVC] "c:\\Program Files\\Norton Internet Security\\ISSVC.exe" \par
[lanmanserver] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[lanmanworkstation] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[LightScribeService] "c:\\Program Files\\Common Files\\LightScribe\\LSSrvc.exe" \par
[LmHosts] %SystemRoot%\\system32\\svchost.exe -k LocalService \par
[MDM] "C:\\Program Files\\Common Files\\Microsoft Shared\\VS7DEBUG\\MDM.EXE" \par
[Messenger] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[MHN] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[mnmsrvc] C:\\WINDOWS\\system32\\mnmsrvc.exe \par
[MSDTC] C:\\WINDOWS\\system32\\msdtc.exe \par
[MSIServer] C:\\WINDOWS\\system32\\msiexec.exe /V \par
[navapsvc] "c:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\navapsvc.exe" \par
[NetDDE] %SystemRoot%\\system32\\netdde.exe \par
[NetDDEdsdm] %SystemRoot%\\system32\\netdde.exe \par
[Netlogon] %SystemRoot%\\system32\\lsass.exe \par
[Netman] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[Nla] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[NtLmSsp] %SystemRoot%\\system32\\lsass.exe \par
[NtmsSvc] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[ose] "C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" \par
[PlugPlay] %SystemRoot%\\system32\\services.exe \par
[PolicyAgent] %SystemRoot%\\system32\\lsass.exe \par
[ProtectedStorage] %SystemRoot%\\system32\\lsass.exe \par
[RasAuto] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[RasMan] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[RDSessMgr] C:\\WINDOWS\\system32\\sessmgr.exe \par
[RemoteAccess] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[RemoteRegistry] %SystemRoot%\\system32\\svchost.exe -k LocalService \par
[RpcLocator] %SystemRoot%\\system32\\locator.exe \par
[RpcSs] %SystemRoot%\\system32\\svchost -k rpcss \par
[RSVP] %SystemRoot%\\system32\\rsvp.exe \par
[SamSs] %SystemRoot%\\system32\\lsass.exe \par
[SAVScan] "c:\\Program Files\\Norton Internet Security\\Norton AntiVirus\\SAVScan.exe" \par
[SCardSvr] %SystemRoot%\\System32\\SCardSvr.exe \par
[Schedule] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[seclogon] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[SENS] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[SharedAccess] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[ShellHWDetection] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[SNDSrvc] "c:\\Program Files\\Common Files\\Symantec Shared\\SNDSrvc.exe" \par
[SPBBCSvc] "c:\\Program Files\\Common Files\\Symantec Shared\\SPBBC\\SPBBCSvc.exe" \par
[Spooler] %SystemRoot%\\system32\\spoolsv.exe \par
[srservice] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[SSDPSRV] %SystemRoot%\\system32\\svchost.exe -k LocalService \par
[stisvc] %SystemRoot%\\system32\\svchost.exe -k imgsvc \par
[SwPrv] C:\\WINDOWS\\system32\\dllhost.exe /Processid:\{A0F935C2-E3F4-44AE-BA9B-683FD4192D56\} \par
[SymWSC] "c:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\SymWSC.exe" \par
[SysmonLog] %SystemRoot%\\system32\\smlogsvc.exe \par
[TapiSrv] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[TermService] %SystemRoot%\\System32\\svchost -k DComLaunch \par
[Themes] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[TlntSvr] C:\\WINDOWS\\system32\\tlntsvr.exe \par
[TrkWks] %SystemRoot%\\system32\\svchost.exe -k netsvcs \par
[UMWdf] C:\\WINDOWS\\system32\\wdfmgr.exe \par
[upnphost] %SystemRoot%\\system32\\svchost.exe -k LocalService \par
[UPS] %SystemRoot%\\System32\\ups.exe \par
[VSS] %SystemRoot%\\System32\\vssvc.exe \par
[W32Time] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[WebClient] %SystemRoot%\\system32\\svchost.exe -k LocalService \par
[winmgmt] %systemroot%\\system32\\svchost.exe -k netsvcs \par
[WmdmPmSN] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[Wmi] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[WmiApSrv] C:\\WINDOWS\\system32\\wbem\\wmiapsrv.exe \par
[wscsvc] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[wuauserv] %systemroot%\\system32\\svchost.exe -k netsvcs \par
[WZCSVC] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
[xmlprov] %SystemRoot%\\System32\\svchost.exe -k netsvcs \par
\par
\par
**** Custom IE Search Items ****\par
\par
SEARCH: [SearchAssistant] http://ie.search.msn.com/\{SUB_RFC1766\}/srchasst/srchasst.htm \par
SEARCH: [CustomizeSearch] http://ie.search.msn.com/\{SUB_RFC1766\}/srchasst/srchcust.htm \par
\par
\par
**** Complete IE Options ****\par
\par
IEOPT: [NoUpdateCheck] \par
IEOPT: [NoJITSetup] \par
IEOPT: [Disable Script Debugger] yes \par
IEOPT: [Show_ChannelBand] No \par
IEOPT: [Anchor Underline] yes \par
IEOPT: [Cache_Update_Frequency] Once_Per_Session \par
IEOPT: [Display Inline Images] yes \par
IEOPT: [Do404Search] \par
IEOPT: [Local Page] C:\\WINDOWS\\system32\\blank.htm \par
IEOPT: [Save_Session_History_On_Exit] no \par
IEOPT: [Show_FullURL] no \par
IEOPT: [Show_StatusBar] yes \par
IEOPT: [Show_ToolBar] yes \par
IEOPT: [Show_URLinStatusBar] yes \par
IEOPT: [Show_URLToolBar] yes \par
IEOPT: [Start Page] http://www.cnn.com/ \par
IEOPT: [Use_DlgBox_Colors] yes \par
IEOPT: [Window_Placement] , \par
IEOPT: [Expand Alt Text] no \par
IEOPT: [Move System Caret] no \par
IEOPT: [NscSingleExpand] \par
IEOPT: [DisableScriptDebuggerIE] yes \par
IEOPT: [Error Dlg Displayed On Every Error] no \par
IEOPT: [NoWebJITSetup] \par
IEOPT: [Page_Transitions] \par
IEOPT: [FavIntelliMenus] no \par
IEOPT: [Enable Browser Extensions] yes \par
IEOPT: [UseThemes] \par
IEOPT: [Force Offscreen Composition] \par
IEOPT: [NotifyDownloadComplete] no \par
IEOPT: [AllowWindowReuse] \par
IEOPT: [Friendly http errors] yes \par
IEOPT: [ShowGoButton] yes \par
IEOPT: [SmoothScroll] \par
IEOPT: [Enable AutoImageResize] yes \par
IEOPT: [Enable_MyPics_Hoverbar] yes \par
IEOPT: [Play_Animations] yes \par
IEOPT: [Play_Background_Sounds] yes \par
IEOPT: [Display Inline Videos] yes \par
IEOPT: [Show image placeholders] \par
IEOPT: [Print_Background] no \par
IEOPT: [LastCheckedHi] \par
IEOPT: [FullScreen] no \par
IEOPT: [FormSuggest PW Ask] no \par
IEOPT: [AddToFavoritesExpanded] \par
IEOPT: [Check_Associations] yes \par
IEOPT: [Use FormSuggest] no \par
IEOPT: [AutoSearch] \par
IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dl ... ar=msnhome \par
IEOPT: [Default_Search_URL] http://www.microsoft.com/isapi/redir.dl ... r=iesearch \par
IEOPT: [Enable_Disk_Cache] yes \par
IEOPT: [Cache_Percent_of_Disk] \par
IEOPT: [Delete_Temp_Files_On_Exit] yes \par
IEOPT: [Local Page] %SystemRoot%\\system32\\blank.htm \par
IEOPT: [Anchor_Visitation_Horizon] \par
IEOPT: [Use_Async_DNS] yes \par
IEOPT: [Placeholder_Width] \par
IEOPT: [Placeholder_Height] \par
IEOPT: [Start Page] about:blank \par
IEOPT: [CompanyName] Microsoft Corporation \par
IEOPT: [Custom_Key] MICROSO \par
IEOPT: [Wizard_Version] 6.00.2800.1017 \par
IEOPT: [FullScreen] no \par
IEOPT: [Check_Associations] yes \par
}
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

re;prompt command

Unread postby cathdeb » November 18th, 2005, 8:39 am

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Cath and Deb> chkdsk c: /F
The type of the file system is NTFS.
Cannot lock current drive.

Chkdsk cannot run because the volume is in use by another
process. Would you like to schedule this volume to be
checked the next time the system restarts? (Y/N) Y

This volume will be checked the next time the system restarts.

C:\Documents and Settings\Cath and Deb>
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

re:

Unread postby cathdeb » November 18th, 2005, 5:06 pm

I had to reset my computer to factory settings as I was having problem after problem.Norton alerted me intrustion invalid source ip add intruder.hpistheway (0.1.0.4) risk level med dest ip add 224.0.0.22 protocol igmp.when i used xp cd to go into repair menu it only gave me two options one was H:fat32and H:I394 or something similar to it.it also showed \device\ cd rom on I\ and J\ it also said the bootsector is corrupt.when i did the command prompt D/ and rebooted it only did the C/ and it went so fast showing the results that i was unable to read it all.this is so frustrating!do you have any suggestions?Thank you for all youv'e done so far.

cathdeb
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

Unread postby askey127 » November 18th, 2005, 8:26 pm

Cathdeb,

The difficulties you are having do not sound like software/malware issues to me.
It DOES sound like some sort of hardware or BIOS problem. The motherboard or hard drive can cause boot sector issues. Hard drive failures are not rare, and when they begin they can cause the kind of symptoms you describe.
I would recommend taking the PC box to a repair center (Best Buy or other??) and getting sufficient repairs to validate the hardware installation; then when that is complete, we can help if there are still malware issues in the software.

At present the system behavior is not consistent enough to diagnose problems remotely as we are trying to do. We are unable to get sufficient diagnostic information to offer useful advice.

Once repairs are made the system should be easier to work on.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

re:

Unread postby cathdeb » November 20th, 2005, 8:43 am

Thank you for the info and all your help.

deb
cathdeb
Regular Member
 
Posts: 47
Joined: October 13th, 2005, 8:48 am
Location: fort lauderdale,florida

Unread postby NonSuch » November 30th, 2005, 8:05 pm

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 305 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware