1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: 7th level, what is it, and it is bad

Discussion in 'Virus & Other Malware Removal' started by justfoo, Jan 30, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. justfoo

    justfoo Thread Starter

    Joined:
    Dec 31, 2004
    Messages:
    242
    Hi I've discovered a folder called 7thlevel in my c:\program files folder, and have also seen files named like it in different places in my windows folder. what is this guy? It doesn't show up in my add remove programs list, is it a game and can i just delete the files? This would be tough as it seems there are a lot of them.
    Thanks in advance.
     
  2. xgerryx

    xgerryx

    Joined:
    May 16, 2003
    Messages:
    4,092
    There is a vidieo game site by that name http://www.7thlevel.com/

    Do a search of your compter for "7thlevel". Right click and click properties on what it finds.
     
  3. justfoo

    justfoo Thread Starter

    Joined:
    Dec 31, 2004
    Messages:
    242
    Hi Gerry thanks for the reply.
    I did a search right clicking/ properties on the files didn't tell me much.
    Here is where I found them:
    C:\Program files\7thlevel
    C:\WINDOWS\SYSTEM32\7thLevel

    I also discovered it in the registry as well:
    HKEY_CURRENT_USER
    SOFTWARE
    MICROSOFT
    Searchassistant
    5603 Name 000 Type RG_SZ Data 7thlevel
    5604 Name 000 Type RG_SZ Data 7thlevel
    HKEY_LOCAL_MACHINE
    SOFTWARE
    7th Level Inc,
    7th Level Media Player
    Agent7
    7thlevel
    There are some others, but I think they're in a windows system restore area, and I won't bother you with them.

    I visited the website you mentioned, it's more like an adware site as far as I could determine with no way to contact 7thlevel or find out more, as well as it's cheesy little pop up when you exit the website grrr.

    Anyway thanks again Gerry, I'm hoping it's not some as yet undiscovered malicious spyware system of some sort hehe. And that I can just go ahead and delete the folders and the registry entries at some point when I get brave enough.
    P.S. dont know if I entered this reply twice as when i went to send the first reply I was told I was logged in. Oh well,
     
  4. xgerryx

    xgerryx

    Joined:
    May 16, 2003
    Messages:
    4,092
    I would just delete them, but would like to know how they got there.
    Try running "adaware and spybot". These two programs are safe to use and will clean a large number of uninvited guests from your computer. For the url's look here: http://forums.techguy.org/t110854.html. Pop back and let us know how you get on.
     
  5. xgerryx

    xgerryx

    Joined:
    May 16, 2003
    Messages:
    4,092
    Second thoughts, Seeing Searchassistant it might be an idea to do a highjackthis log and upload it so that some of the security team can have a look for you. Go here: http://forums.techguy.org/t110854.html. and scroll down to parasitic to highjackthis.
     
  6. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I have moved this to the Security forum.

    Please post the Hijack This log as requested.
     
  7. justfoo

    justfoo Thread Starter

    Joined:
    Dec 31, 2004
    Messages:
    242
    Hey Gerry and all, did what you told me, and ran hijackthis. Here is what I got:
    Logfile of HijackThis v1.99.0
    Scan saved at 10:41:46 PM, on 1/30/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\ProcessSuite\Common\NTServApp.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\RealVNC\WinVNC\winvnc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Messenger Plus! 3\MsgPlus.exe
    C:\WINDOWS\System32\DSentry.exe
    C:\Program Files\Dell\AccessDirect\dadapp.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\MiscPrograms\PRINTKEY\Printkey2000.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Winwall\Winwall.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\iolo\Search and Recover\DiskImageService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\MiscPrograms\SpyWare\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://webmail.telusplanet.net/horde/imp/login.php?webmail=4cf9b3a37c3ced296c65500e11fbe146
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.telusplanet.net/horde/imp/login.php?webmail=4cf9b3a37c3ced296c65500e11fbe146
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://webmail.telusplanet.net/horde/imp/login.php?webmail=4cf9b3a37c3ced296c65500e11fbe146
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.telusplanet.net/horde/imp/login.php?webmail=4cf9b3a37c3ced296c65500e11fbe146
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
    R3 - Default URLSearchHook is missing
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [Search and Recover Disk Image Service] C:\Program Files\iolo\Search and Recover\DiskImageService.exe
    O4 - Startup: Printkey2000.exe.lnk = C:\MiscPrograms\PRINTKEY\Printkey2000.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Startup: Winwall Autostart.lnk = C:\Program Files\Winwall\Winwall.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: (no name) - {578FC4E3-151E-456c-AF8E-B63061EFE228}} - (no file)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: ChatSpace Full Java Client 3.1.0.235N - http://205.177.13.50/Java/cfsn31235.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{E966BD98-AAC4-4968-BECE-02CE7895A08C}: NameServer = 199.185.220.36 199.185.220.52
    O23 - Service: APACS+ OPC Device Server - Siemens - C:\Program Files\ProcessSuite\OPCDeviceServer\APACSOPCDeviceServer.exe
    O23 - Service: avast! iAVS4 Control Service - Unknown - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Adroit Eventlog - Unknown - C:\Adroit\ELService.exe (file missing)
    O23 - Service: FS Service Control - Wonderware Corporation - C:\Program Files\ProcessSuite\Common\NTServApp.exe
    O23 - Service: InSQL Control - Wonderware Corporation - C:\Program Files\ProcessSuite\Historian\Server\InSQLCntlSvc.exe
    O23 - Service: InSQL DbServer - Wonderware Corp. - C:\Program Files\ProcessSuite\Historian\Server\PdsSrv.exe
    O23 - Service: InSQL Event System - Wonderware Corp. - C:\Program Files\ProcessSuite\Historian\Server\eventsys.exe
    O23 - Service: InSQL IODriver - Wonderware Corporation - C:\Program Files\ProcessSuite\Historian\Server\IODriver.exe
    O23 - Service: M-BUS/M-NET Administration - Siemens Energy & Automation - C:\Program Files\ProcessSuite\MBUSDRVR\mcontrol.exe
    O23 - Service: APACS+ NIM32 - Siemens Energy & Automation, Inc. - C:\Program Files\ProcessSuite\NIM\Nim32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Wonderware SuiteLink - Invensys Systems, Inc. - C:\Program Files\ProcessSuite\Common\slssvc.exe
    O23 - Service: VNC Server - RealVNC Ltd. - C:\Program Files\RealVNC\WinVNC\winvnc.exe
    O23 - Service: Wonderware Logger - Wonderware Corporation - C:\Program Files\ProcessSuite\Common\wwlogsvc.exe
    O23 - Service: Wonderware NetDDE Helper - Invensys Systems, Inc. - C:\Program Files\ProcessSuite\Common\wwnetdde.exe
    O23 - Service: WwRpcSvr - Wonderware Corporation - C:\WINDOWS\System32\wwinstsvc.exe
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    I don't see anything in your log.

    I don'r know of any security threats related to this, but if you want to remove it, delete the 7th level files and folders and delete those entries in the registry. You may have to delete the folder in safe mode.

    How to start your computer in safe mode
     
  9. justfoo

    justfoo Thread Starter

    Joined:
    Dec 31, 2004
    Messages:
    242
    Thanks a lot FLRMAN1, I will do that.
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    You're Welcome! (y)
     
  11. justfoo

    justfoo Thread Starter

    Joined:
    Dec 31, 2004
    Messages:
    242
    Hi guys, just thought I'd follow up to end this thread.
    I finally got brave enough to delete all the registry entries, files and folders regarding 7thlevel with no ill effects to my pc. (y)

    Again, many thanks for your guidance.
    DF
     
  12. mjack547

    mjack547 Malware Specialist

    Joined:
    Sep 1, 2003
    Messages:
    3,181
    (y) Great job :)

    and if you could please mark this tread solved
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  14. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/324957

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice