1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I think I've been hijacked...please help..log file...

Discussion in 'Virus & Other Malware Removal' started by JETFAN, Feb 4, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. JETFAN

    JETFAN Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    6
    Logfile of HijackThis v1.99.0
    Scan saved at 4:57:16 AM, on 2/4/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\system32\CCM\CcmExec.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\mswv32.exe
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\system32\hkcmd.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
    C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    C:\WINNT\system32\cmd.exe
    C:\Documents and Settings\charlmaz\Local Settings\Temp\HijackThis.exe
    C:\WINNT\addjh32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\charlmaz\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {9E42230A-0C51-0662-4D26-1511433F6D31} - C:\WINNT\crtl.dll
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
    O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [addjh32.exe] C:\WINNT\addjh32.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O14 - IERESET.INF: START_PAGE_URL=http://www.scholastic.com
    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.scholasticinc.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.scholasticinc.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.scholasticinc.local
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Client Access Express Remote Command - IBM Corporation - C:\WINNT\CWBRXD.EXE
    O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  2. JETFAN

    JETFAN Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    6
    My home page keeps getting replaced by About:help and i get an error/popup that states:

    WARNING! Windows detected Spy Software"sspMydoom.cih ver.2.018. Somebody is trying to access you through port 245. Your private information is in danger.

    Click okay for info on how to remove this software.


    Can anyone please help???
     
  3. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Read all these instructions carefully, Print them out and download all the things mentioned before starting

    First download CWshredder from http://www.intermute.com/spysubtract/cwshredder_download.html and install it and update it, DO not run it yet
    Also
    Click here to download AboutBuster created by Rubber Ducky.

    Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode.

    Download pocket killbox from Download pocket killbox from http://www.thespykiller.co.uk/files/killbox.exe & put it on the desktop where you can find it easily

    Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line. Copy these instructions to notepad and save them on your desktop for easy access. You must follow these directions exactly and you cannot skip any part of it.

    Now boot into safe mode

    How to start your computer in safe mode

    Run hijackthis, tick these entries listed below and ONLY these entries, double check to make sure, then make sure all browser & email windows are closed and press fix checked


    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ullsv.dll/sp.html#12345
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {9E42230A-0C51-0662-4D26-1511433F6D31} - C:\WINNT\crtl.dll

    O4 - HKLM\..\Run: [addjh32.exe] C:\WINNT\addjh32.exe

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

    O15 - Trusted Zone: *.frame.crazywinnings.com
    O15 - Trusted Zone: *.static.topconverting.com
    O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
    O15 - Trusted Zone: *.static.topconverting.com (HKLM)

    now run killbox and paste each of these lines into the box, select standard file delete then press the red X button,say yes to the prompt then continue to paste the lines in in turn and follow the above procedure every time,

    C:\WINNT\crtl.dll
    C:\WINNT\system32\ullsv.dll
    C:\WINNT\addjh32.exe
    C:\WINNT\system32\mswv32.exe

    Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.

    then Run Cwshredder
    Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.


    then as some of the files or folders you need to delete may be hidden do this:
    Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    then Go to Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder.

    then go to C:\windows\temp and select EVERYTHING except temporary internet files, cookies and history folders and delete all that and then do the same for C:\temp

    1) Open Control Panel
    2) Click on Internet Options
    3) On the General Tab, in the middle of the screen, click on Delete Files
    4) You may also want to check the box "Delete all offline content"
    5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
    6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

    then
    Run adaware

    Download and unzip or install this program/application if you haven't already got it. If you have it, then make sure it is updated and configured as described

    AdAware SE from http://www.lavasoft.de/support/download
    and while you are at the adaware site download and install http://www.lavasoft.de/software/addons/vx2cleaner.shtml
    and run it before the main adaware scan and follow it's directions
    Run ADAWARE

    Before you scan with AdAware, check for updates of the reference file by using the "webupdate".
    the current ref file should read at least SE1R26 25.01.2005 or a higher number/later date

    Set up the Configurations as follows:

    General Button
    Safety:
    Check (Green) all three.

    Click on "Proceed"

    Please deselect "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

    Click on "Scan Now"

    Run the scanner using the Full Scan (Perform full system scan) mode.

    When scan is finished, mark everything for removal and get rid of it. (Right-click the window and choose"select all" from the drop down menu) then press next and then say yes to the prompt, do you want to remove all these entries.

    NOW REBOOT

    Run an online antivirus check from
    http://housecall.trendmicro.com/

    Make sure autoclean is ticked

    reboot again

    These hijackers are known to alter or delete certain files so check this out please:

    Download the Hoster from here . UnZip the file and run hoster then press "Restore Original Hosts" and press "OK". Exit Program.

    If you have Spybot S&D installed you will also need to replace one file.
    Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

    Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache
    Find shell.dll and right click on it. Choose Copy from the menu.
    Open System32 and right click on an empty space in the window. Choose Paste from the menu.


    control.exe may have been deleted.
    See if control.exe is present in C:\winnt\system32

    If control.exe isn't there, go here, and download control.exe per the instructions at the site.

    IMPORTANT!: Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.


    download http://www.mvps.org/winhelp2002/DelDomains.inf and place it of desktop
    right click the file and select install, that will reset the trusted zone domains that have been wrongly placed there

    Then post a new hijackthis log to check please
     
  4. crushbone

    crushbone

    Joined:
    Aug 5, 2004
    Messages:
    1,137
    Hello JETFAN and Welcome to TSG! :D

    Open Task Manager (ctrl+alt+delete) and find and end the following process:
    mswv32.exe

    Find and delete the following file:
    C:\WINNT\system32\mswv32.exe

    Run HijackThis and fix the following entries:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ullsv.dll/sp.html#12345

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ullsv.dll/sp.html#12345

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\ullsv.dll/sp.html#12345

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\ullsv.dll/sp.html#12345

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\ullsv.dll/sp.html#12345

    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ullsv.dll/sp.html#12345

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\ullsv.dll/sp.html#12345

    R3 - Default URLSearchHook is missing

    O2 - BHO: (no name) - {9E42230A-0C51-0662-4D26-1511433F6D31} - C:\WINNT\crtl.dll


    Open Internet Explorer and at the top click on "Tools" and choose "Internet Options". Click on the "Advanced" tab and untick "Enable third-party browser extensions". Click on "Apply" then "OK".

    Download Ad-Aware SE from here:
    http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button

    Install and run Ad-Aware SE. On the bottom right corner of Ad-Aware you will see an option called "Check for updates now", click on that and choose "connect". Download the updates. Next click on "Scan now" on the left side of Ad-Aware. Make sure that "Search for negligible risk entries" is crossed out and not ticked. Choose "Perform full system scan" and click "Next". After Ad-Aware scans your computer, Ad-Aware may find some bad files on your computer so make sure you tick them all and choose "Next". It will ask if you want to remove those items so just continue. After removing the items close Ad-Aware.

    Download Spybot S&D from here:
    http://users.skynet.be/fa936042/spybotsd13.exe

    Install and run Spybot S&D. Choose "Search for updates". Next choose "Download updates". After that, choose "Search and Destroy" and click on "Check for problems". If Spybot finds any nasties on your computer, make sure that they are ticked and choose "Fix selected problems".

    Download SpywareBlaster from here:
    http://www.majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef

    Install and run SpywareBlaster. Click on "Updates" and then choose "Check for updates". Next choose "Protection" and at the top you will see different tabs which are Internet Explorer, Restricted sites and Mozilla/Firefox. Choose one of them at a time and at the bottom click "Protect Against Checked Items" (make sure that all of the items are checked). Tick the boxes above the items. Make sure you do this for all of the top tabs. Mozilla/Firefox you only need to do if you have the user profiles on your computer. You may now exit out of SpywareBlaster.

    Download CWShredder from here:
    http://cwshredder.net/bin/CWSInstall.exe

    Install and run CWShredder. Click on "Check for Update" and download the latest updates. Next, click on "Fix". Exit out of CWShredder.

    Download DelDomains from here:
    http://www.mvps.org/winhelp2002/DelDomains.inf

    Right-Click and select "Install". This will get rid of the O15 entries in HijackThis.

    Restart your computer and post a fresh HijackThis log back on this thread.
     
  5. JETFAN

    JETFAN Thread Starter

    Joined:
    Feb 4, 2005
    Messages:
    6
    Logfile of HijackThis v1.99.0
    Scan saved at 8:42:24 PM, on 2/4/2005
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\system32\regsvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\system32\CCM\CcmExec.exe
    C:\WINNT\Explorer.EXE
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
    C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\PROGRA~1\WinZip\WINZIP32.EXE
    C:\Documents and Settings\charlmaz\My Documents\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
    O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
    O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
    O4 - HKLM\..\Run: [CPortPatch] C:\WINNT\DockQuickInstall\cppch.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [D-Link AirPlus Xtreme G] C:\Program Files\D-Link\AirPlus Xtreme G\AirPlusCFG.exe
    O4 - HKLM\..\Run: [ANIWZCSService] C:\Program Files\Alpha Networks\ANIWZCS Service\WZCSLDR.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.scholasticinc.local
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.scholasticinc.local
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.scholasticinc.local
    O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: Client Access Express Remote Command - Unknown - C:\WINNT\CWBRXD.EXE (file missing)
    O23 - Service: Symantec AntiVirus Definition Watcher - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: SAVRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    That looks better

    Any more problems or do you feel OK now
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    please go to http://www.thespykiller.co.uk/forum/index.php and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your posts here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:

    anything inside the C:\!submit folder which is where killbox should have made copies of all the files it deleted
     
  8. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    I am locking this thread to prevent any more additions

    Jetfan

    If you still have problems please PM me or any other moderator & we will reopen this thread for you
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326616

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice