1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Compaq Laptop

Discussion in 'Virus & Other Malware Removal' started by spikefan, Jan 19, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Hi,
    Relishing the challenge - found I am at home tomorrow afternoon so will proceed... getting excited now.
    Will post as soon as possible. Thanks again.
    Will leave the 017 entries as although the laptap has been given to us, my husband does still work for the company, so assume it could be recalled when they need it.
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,312
    I see you are in the UK so I believe the time difference is 5 hours between us. I will also be available tomorrow afternoon so I'm sure we'll be able to work together on this.
     
  3. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Hi,
    Only took 6 hours. At first I was unable to do anything with LQfix until i removed the microsoft antispyware programme. Anyway have run everything, have managed to install service pack 2 and have put norton anti virus on - both updated.... Logs are below:

    Logfile of HijackThis v1.99.1
    Scan saved at 19:16:43, on 23/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\msiexec.exe
    E:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138038272529
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O17 - HKLM\Software\..\Telephony: DomainName = lathams.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09D04B0C-FA9E-4A5A-98F9-15EF9B85EED9}: NameServer = 195.92.195.95 195.92.195.94
    O17 - HKLM\System\CCS\Services\Tcpip\..\{86D13A36-D478-4F13-BCFE-12BD3EB45CC6}: NameServer = 10.35.1.5
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

    next one ..

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 16:04:33, 23/01/2006
    + Report-Checksum: 6AA48054

    + Scan result:

    HKLM\SOFTWARE\Classes\MediaAccX.Installer -> Spyware.WinAd : Cleaned with backup
    HKLM\SOFTWARE\Classes\MediaAccX.Installer\CLSID -> Spyware.WinAd : Cleaned with backup
    HKU\S-1-5-21-448539723-436374069-1957994488-1003\Software\LQ -> Dialer.Generic : Cleaned with backup
    C:\boota.exe -> Dropper.Agent.kd : Cleaned with backup
    C:\Documents and Settings\ossett\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\ossett\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\ossett\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\Program Files\Microsoft AntiSpyware\Quarantine\6615186C-9E96-43B7-8A3A-3E88CC\FD95A1FF-5E2A-4EF5-86DB-AC9240 -> Backdoor.Small.eo : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP195\A0076104.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP195\A0076121.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP195\A0077121.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP195\A0078121.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP195\A0078140.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP195\A0079140.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP195\A0079332.exe -> Dropper.Agent.kd : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP196\A0079340.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP200\A0081344.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP203\A0082342.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP203\A0082357.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP203\A0083356.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP203\A0083455.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP203\A0083460.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP203\A0083512.dll -> Spyware.EliteBar : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP203\A0083513.exe -> Backdoor.Rbot : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP203\A0084487.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP203\A0085505.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\System Volume Information\_restore{0610AD98-C116-4DD6-B0EC-0470B45DB021}\RP203\A0085506.exe -> Trojan.EliteBar : Cleaned with backup
    C:\WINDOWS\etb\nt_hide79.dll -> Trojan.EliteBar.h : Cleaned with backup
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8N3V6VIO\nvs[1].exe -> Heuristic.Win32.Backdoor.IrcBot : Cleaned with backup
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PJWB2E72\setup_file[1].exe -> Dropper.Agent.za : Cleaned with backup
    C:\WINDOWS\system32\eliteggp32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\system32\gta.exe -> Backdoor.Rbot : Cleaned with backup
    C:\WINDOWS\system32\msconfig32.exe -> Backdoor.Rbot : Cleaned with backup
    C:\WINDOWS\system32\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backup
    C:\WINDOWS\system32\msua.exe -> Backdoor.Pest.1 : Cleaned with backup
    C:\WINDOWS\system32\nsdata.exe -> Heuristic.Win32.Backdoor.IrcBot : Cleaned with backup
    C:\WINDOWS\system32\uk.exe -> Dialer.Generic : Cleaned with backup
    C:\WINDOWS\system32\winsci.exe -> Backdoor.Rbot : Cleaned with backup
    C:\WINDOWS\uk.exe -> Dialer.Generic : Cleaned with backup


    ::Report End


    Last one, i think is the panda scan:


    Incident Status Location

    Adware:adware/bootporn Not disinfected C:\boot.exe
    Adware:adware/wupd Not disinfected Windows Registry
    Virus:W32/Sdbot.FJH.worm Disinfected C:\!KillBox\winpadg.exe
    Virus:Trj/Lowzones.GJ Disinfected C:\boot.exe
    Virus:Trj/Lowzones.GJ Disinfected C:\boot1.exe
    Virus:Trj/Lowzones.GJ Disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8N3V6VIO\dr[1].exe
    Adware:Adware/nCase Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8N3V6VIO\prompt_ie_win[1].js
    Adware:Adware/WUpd Not disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VNSU5K8T\test[1]
    Virus:W32/Ircbot.FF.worm Disinfected C:\WINDOWS\system32\mslanmgr.exe
    Potentially unwanted tool:Application/Processor Not disinfected E:\Nailfix.zip[Process.exe]
    Potentially unwanted tool:Application/Processor Not disinfected E:\Process.exe
    Adware:Adware/Lop Not disinfected E:\lopremover.exe
    Hope this was what you wanted. Have enjoyed doing this, even if the updates have taken awhile. I hope things look a lot clearer and look forward to speaking to you again later.

    Am I infront or behind you - it is 19.24 here.

    Debs
     
  4. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    You are in front :D
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,312
    You're 5 hours ahead of me.

    You did an excellent job with this clean up! (y)

    We just need to do a little more because there is a rootkit detected and we need to find the other files and the folder involved.


    Download and save (do not choose ‘open’) http://www.sysinternals.com/Files/RootkitRevealer.zip

    Unzip it to your desktop. Double click on the RootKitRevealer.exe and then click on “scan”. Save the log and post it back here.

    DO NOT attempt to fix anything it finds as most entries will be legitimate.
     
  6. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,312
    Also, go to Tools - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK.
     
  7. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Good morning,
    Sad that I am, woke up at 4.30 so let dogs out and completed your request. Log below:

    HKLM\SOFTWARE\Classes\webcal\URL Protocol 06/03/2005 17:14 13 bytes Data mismatch between Windows API and raw hive data.
    HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun 23/01/2006 17:44 16 bytes Data mismatch between Windows API and raw hive data.
    C:\Documents and Settings\ossett\Local Settings\Temporary Internet Files\Content.IE5\CPERS56J 24/01/2006 04:50 0 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\ossett\Local Settings\Temporary Internet Files\Content.IE5\CPERS56J\desktop.ini 24/01/2006 04:50 67 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\ossett\Local Settings\Temporary Internet Files\Content.IE5\GRA5276R 24/01/2006 04:50 0 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\ossett\Local Settings\Temporary Internet Files\Content.IE5\GRA5276R\desktop.ini 24/01/2006 04:50 67 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\ossett\Local Settings\Temporary Internet Files\Content.IE5\MN0VKXAN 24/01/2006 04:50 0 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\ossett\Local Settings\Temporary Internet Files\Content.IE5\MN0VKXAN\desktop.ini 24/01/2006 04:50 67 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\ossett\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV 24/01/2006 04:50 0 bytes Visible in Windows API, but not in MFT or directory index.
    C:\Documents and Settings\ossett\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\desktop.ini 24/01/2006 04:50 67 bytes Visible in Windows API, but not in MFT or directory index.
    C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 24/01/2006 04:51 64.00 KB Visible in Windows API, but not in MFT or directory index.

    Have cleared temporary folders and deleted offline content.

    Debs
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,312
    Boot to safe mode and run Killbox on these:

    C:\boot.exe

    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\8N3V6VIO

    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VNSU5K8T


    Reboot and post a new HijackThis log please.
     
  9. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Hello,
    Run killbox on them, didnt appear to exist. Re-booted and post log - its getting smaller!

    Logfile of HijackThis v1.99.1
    Scan saved at 07:04:34, on 25/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\wuauclt.exe
    E:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138038272529
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O17 - HKLM\Software\..\Telephony: DomainName = lathams.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{86D13A36-D478-4F13-BCFE-12BD3EB45CC6}: NameServer = 10.35.1.5
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,312
    The log looks good. How is everything running? Please do another Panda scan and post the results if it finds anything.


    I would also suggest downloading and running Ad-Aware and SpyBot Search & Destroy and you should update and run them regularly. Here are the instructions for those programs.


    AD-AWARE

    Go here and download Ad-Aware SE.

    Install the program and launch it.

    First, in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From the main window, click Start then under Select a scan Mode tick Perform full system scan.

    Next, deselect Search for negligible risk entries.

    Now to perform a scan, click the Next button.

    When the scan is finished, mark everything for removal and get rid of it. To do so, right-click in the window and choose select all from the drop down menu and then click Next)



    SPYBOT SEARCH & DESTROY

    Go here and download Spybot Search & Destroy.

    Install the program and launch it.

    Before scanning press Online and Search for Updates .

    Put a check mark at and install all updates.

    Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.
     
  11. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Hello,

    Sorry for the delay in getting back - major catastrophy last night my own pc wouldnt connect to the internet - daughter distraught!! World came to an end. Everything is now being looked at through rosy glasses lol.
    Below the two logs you asked for - Panda is the latter one, it found 2 files as listed I then updated adaware and ran that, scan also below. All appears fine, a couple of the entries on the hijack log made me wonder tho, the ones with a missing file AOL and one other. Can these just be deleted. I know I tried with the AOL one but it constantly comes back. If that is all that is wrong then fine, can live with that. What do you think.

    Ad-Aware SE Build 1.06r1
    Logfile Created on:26 January 2006 10:48:53
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R89 24.01.2006
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Tracking Cookie(TAC index:3):1 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Ad-Aware SE Settings
    ===========================
    Set : Search for low-risk threats
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Scan registry for all users instead of current user only
    Set : Always try to unload modules before deletion
    Set : During removal, unload Explorer and IE if necessary
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Include alternate data stream details in log file
    Set : Play sound at scan completion if scan locates critical objects


    26-01-2006 10:48:54 - Scan started. (Full System Scan)

    Listing running processes
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    #:1 [smss.exe]
    FilePath : \SystemRoot\System32\
    ProcessID : 508
    ThreadCreationTime : 26-01-2006 08:41:22
    BasePriority : Normal


    #:2 [csrss.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 556
    ThreadCreationTime : 26-01-2006 08:41:24
    BasePriority : Normal


    #:3 [winlogon.exe]
    FilePath : \??\C:\WINDOWS\system32\
    ProcessID : 584
    ThreadCreationTime : 26-01-2006 08:41:25
    BasePriority : High


    #:4 [services.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 632
    ThreadCreationTime : 26-01-2006 08:41:26
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : services.exe

    #:5 [lsass.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 644
    ThreadCreationTime : 26-01-2006 08:41:26
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : lsass.exe

    #:6 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 796
    ThreadCreationTime : 26-01-2006 08:41:26
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:7 [svchost.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 856
    ThreadCreationTime : 26-01-2006 08:41:27
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:8 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 892
    ThreadCreationTime : 26-01-2006 08:41:27
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:9 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 952
    ThreadCreationTime : 26-01-2006 08:41:27
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:10 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1056
    ThreadCreationTime : 26-01-2006 08:41:28
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:11 [spoolsv.exe]
    FilePath : C:\WINDOWS\system32\
    ProcessID : 1220
    ThreadCreationTime : 26-01-2006 08:41:28
    BasePriority : Normal
    FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    ProductVersion : 5.1.2600.2696
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : spoolsv.exe

    #:12 [sagent2.exe]
    FilePath : C:\Program Files\Common Files\EPSON\EBAPI\
    ProcessID : 1332
    ThreadCreationTime : 26-01-2006 08:41:28
    BasePriority : Normal
    FileVersion : 2, 2, 0, 0
    ProductVersion : 1, 0, 0, 0
    ProductName : EPSON Bidirectional Printer
    CompanyName : SEIKO EPSON CORPORATION
    FileDescription : EPSON Printer Status Agent
    InternalName : SAgent2
    LegalCopyright : Copyright (C) SEIKO EPSON CORP. 2000-2001
    OriginalFilename : SAgent2.exe

    #:13 [ewidoctrl.exe]
    FilePath : C:\Program Files\ewido anti-malware\
    ProcessID : 1364
    ThreadCreationTime : 26-01-2006 08:41:28
    BasePriority : Normal
    FileVersion : 3, 0, 0, 1
    ProductVersion : 3, 0, 0, 1
    ProductName : ewido control
    CompanyName : ewido networks
    FileDescription : ewido control
    InternalName : ewido control
    LegalCopyright : Copyright © 2004
    OriginalFilename : ewidoctrl.exe

    #:14 [ewidoguard.exe]
    FilePath : C:\Program Files\ewido anti-malware\
    ProcessID : 1376
    ThreadCreationTime : 26-01-2006 08:41:28
    BasePriority : Normal
    FileVersion : 3, 0, 0, 1
    ProductVersion : 3, 0, 0, 1
    ProductName : guard
    CompanyName : ewido networks
    FileDescription : guard
    InternalName : guard
    LegalCopyright : Copyright © 2004
    OriginalFilename : guard.exe

    #:15 [navapsvc.exe]
    FilePath : C:\Program Files\Norton AntiVirus\
    ProcessID : 1460
    ThreadCreationTime : 26-01-2006 08:41:28
    BasePriority : Normal
    FileVersion : 8.00.58
    ProductVersion : 8.00.58
    ProductName : Norton AntiVirus
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Auto-Protect Service
    InternalName : NAVAPSVC
    LegalCopyright : Copyright (c) 2000-2001 Symantec Corporation. All rights reserved.
    OriginalFilename : NAVAPSVC.EXE

    #:16 [svchost.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 1544
    ThreadCreationTime : 26-01-2006 08:41:29
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:17 [alg.exe]
    FilePath : C:\WINDOWS\System32\
    ProcessID : 224
    ThreadCreationTime : 26-01-2006 08:41:45
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Application Layer Gateway Service
    InternalName : ALG.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : ALG.exe

    #:18 [explorer.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 472
    ThreadCreationTime : 26-01-2006 08:41:48
    BasePriority : Normal
    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 6.00.2900.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : EXPLORER.EXE

    #:19 [dragdiag.exe]
    FilePath : C:\Program Files\Thomson\SpeedTouch USB\
    ProcessID : 1796
    ThreadCreationTime : 26-01-2006 08:42:03
    BasePriority : Normal
    FileVersion : 300.7.0.2
    ProductVersion : 300.7.0.2
    ProductName : SpeedTouch USB
    CompanyName : THOMSON
    FileDescription : SpeedTouch Statistics
    LegalCopyright : Copyright© THOMSON 1999-2003

    #:20 [hpcmpmgr.exe]
    FilePath : C:\Program Files\HP\hpcoretech\
    ProcessID : 1892
    ThreadCreationTime : 26-01-2006 08:42:06
    BasePriority : Normal
    FileVersion : 2.1.1.0
    ProductVersion : 2.1.6.2
    ProductName : hp coretech (COmponent REuse TECHnology)
    CompanyName : Hewlett-Packard Company
    FileDescription : HP Framework Component Manager Service
    InternalName : HPComponentManagerService module
    LegalCopyright : Copyright (C) Hewlett-Packard. 2002-2005
    OriginalFilename : HpCmpMgr.exe

    #:21 [hpwuschd2.exe]
    FilePath : C:\Program Files\HP\HP Software Update\
    ProcessID : 676
    ThreadCreationTime : 26-01-2006 08:42:07
    BasePriority : Normal
    FileVersion : 50.0.146.000
    ProductVersion : 050.000.146.000
    ProductName : hp digital imaging - hp all-in-one series
    CompanyName : Hewlett-Packard Co.
    FileDescription : Hewlett-Packard Product Assistant
    InternalName : hpwuSchd2
    LegalCopyright : Copyright (C) Hewlett-Packard Co. 1995-2004
    OriginalFilename : hpwuSchd2.exe
    Comments : Hewlett-Packard Product Assistant

    #:22 [navapw32.exe]
    FilePath : C:\PROGRA~1\NORTON~1\
    ProcessID : 1912
    ThreadCreationTime : 26-01-2006 08:42:08
    BasePriority : Normal
    FileVersion : 8.00.58
    ProductVersion : 8.00.58
    ProductName : Norton AntiVirus
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Agent
    InternalName : NAVAPW32
    LegalCopyright : Copyright (c) 2000-2001 Symantec Corporation. All rights reserved.
    OriginalFilename : NAVAPW32.EXE

    #:23 [drst.exe]
    FilePath : C:\Program Files\SpeedTouch\Dr SpeedTouch\
    ProcessID : 1924
    ThreadCreationTime : 26-01-2006 08:42:08
    BasePriority : Normal


    #:24 [msmsgs.exe]
    FilePath : C:\Program Files\Messenger\
    ProcessID : 2008
    ThreadCreationTime : 26-01-2006 08:42:10
    BasePriority : Normal
    FileVersion : 4.7.3001
    ProductVersion : Version 4.7.3001
    ProductName : Messenger
    CompanyName : Microsoft Corporation
    FileDescription : Windows Messenger
    InternalName : msmsgs
    LegalCopyright : Copyright (c) Microsoft Corporation 2004
    LegalTrademarks : Microsoft(R) is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
    OriginalFilename : msmsgs.exe

    #:25 [winhlp32.exe]
    FilePath : C:\WINDOWS\
    ProcessID : 3624
    ThreadCreationTime : 26-01-2006 09:35:20
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft® Help
    InternalName : WINHLP32.EXE
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : WINHLP32.EXE

    #:26 [iexplore.exe]
    FilePath : C:\Program Files\Internet Explorer\
    ProcessID : 2152
    ThreadCreationTime : 26-01-2006 09:41:22
    BasePriority : Normal
    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 6.00.2900.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : IEXPLORE.EXE

    #:27 [helpsvc.exe]
    FilePath : C:\WINDOWS\PCHealth\HelpCtr\Binaries\
    ProcessID : 1176
    ThreadCreationTime : 26-01-2006 10:44:19
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Microsoft Help Center Service
    InternalName : HELPSVC.EXE
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : HELPSVC.EXE

    #:28 [wmiprvse.exe]
    FilePath : C:\WINDOWS\System32\wbem\
    ProcessID : 2084
    ThreadCreationTime : 26-01-2006 10:44:37
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : WMI
    InternalName : Wmiprvse.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : Wmiprvse.exe

    #:29 [ad-aware.exe]
    FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
    ProcessID : 1756
    ThreadCreationTime : 26-01-2006 10:47:59
    BasePriority : Normal
    FileVersion : 6.2.0.236
    ProductVersion : SE 106
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft AB Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    Memory scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Registry Scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Deep registry scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 0


    Started Tracking Cookie scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : [email protected][2].txt
    TAC Rating : 3
    Category : Data Miner
    Comment : Hits:6
    Value : Cookie:eek:[email protected]/
    Expires : 25-01-2011 09:50:00
    LastSync : Hits:6
    UseCount : 0
    Hits : 6

    Tracking cookie scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 1
    Objects found so far: 1



    Deep scanning and examining files (C:)
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Disk Scan Result for C:\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 1


    Scanning Hosts file......
    Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Hosts file scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    1 entries scanned.
    New critical objects:0
    Objects found so far: 1




    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Conditional scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 1

    11:02:55 Scan Complete

    Summary Of This Scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Total scanning time:00:14:01.69
    Objects scanned:105557
    Objects identified:1
    Objects ignored:0
    New critical objects:1




    Incident Status Location

    Adware:adware/wupd Not disinfected Windows Registry
    Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\ossett\Cookies\[email protected][2].txt
    Thanks very much,

    Debs
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,312
    Things are looking good. (y)

    If this one of the entries you were concerned about, it’s related to RealPlayer and the fact that it shows “no file” is likely a bug in HijackThis so we should leave it alone. If this is not the one, let me know which one concerns you please.

    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)


    For the AOL one, let’s disable the service:

    Click Start - Run - and type in:

    services.msc

    Click OK.

    In the services window find AOL Spyware Protection Service.
    Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.


    Open HijackThis and click on the "Open Misc Tools section button. Now click on the "Delete an NT service" button. Copy and paste this line in that box:

    AOLService

    Click OK.


    Rescan with HijackThis and have it fix this entry:

    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)


    Locate and delete this folder:

    C:\Program Files\Common Files\AOL


    Reboot and post a final HijackThis log please.
     
  13. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Hi there,

    Must be just after lunchtime with you. I have been to work for a couple of hours hence the delay in replying. Log is posted below and got rid of AOL (hurray!). All appears to be fine. Thank you very very much for your help. It has been a pleasure.

    Logfile of HijackThis v1.99.1
    Scan saved at 19:40:49, on 27/01/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
    C:\Program Files\Messenger\msmsgs.exe
    E:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.wanadoo.co.uk/iesearch/default.htm
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk/
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138038272529
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O17 - HKLM\Software\..\Telephony: DomainName = lathams.co.uk
    O17 - HKLM\System\CCS\Services\Tcpip\..\{86D13A36-D478-4F13-BCFE-12BD3EB45CC6}: NameServer = 10.35.1.5
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lathams.co.uk
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

    Have a good weekend,

    Debs
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    112,312
    Clean as a whistle and it was a pleasure working with you too. (y)

    Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

    To turn off system restore, on the Desktop, right click on My Computer and click on Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply and then click OK.

    Restart your computer, turn System Restore back on and create a restore point.

    To create a new restore point, click on Start – All Programs – Accessories – System Tools and then select System Restore.

    In the System Restore wizard, select Create a restore point and click the Next button.

    Type a name for your new restore point then click on Create.


    I also recommend downloading SPYWAREBLASTER & SPYWAREGUARD for added protection.

    Read here for info on how to tighten your security.



    Delete your temporary files:

    In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit - Select All then Edit - Delete to delete the entire contents of the Temp folder.

    Go to Start - Run and type %temp% in the Run box. The Temp folder will open. Click Edit - Select All then hit Delete to delete the entire contents of the Temp folder.

    Finally go to Control Panel - Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

    Empty the recycle bin.
     
  15. spikefan

    spikefan Thread Starter

    Joined:
    Aug 17, 2003
    Messages:
    185
    Hi there,

    All done and dusted - brilliant. Now all I need is a course to teach me all you know LOL!

    Thanks very much

    Debs
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/435453

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice