1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

SpyBot not cleaning in total

Discussion in 'Virus & Other Malware Removal' started by GSTI, Feb 11, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. GSTI

    GSTI Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    14
    Using XP Pro SP2
    Issue: SpyBot finds n-Case, DSO Exploit, I-SearchTech.Powerscan, IsearchTech.Slotch. It fixes DSO Exploit. Message states that the PC will need to be scanned upon next re-boot as some of the files may be in memory. Upon reboot all of the above are found again. The malware is obviously creating new files upon reboot that SpyBot cannot resolve as they are in use. How to fix? Help??? Thanks in advance!

    Logfile of HijackThis v1.99.0
    Scan saved at 1:29:44 PM, on 2/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\system32\winexec32.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    \Roundrock\p\AVG Antivirus\Hijack This\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [Microsoft NT Update] winexec32.exe
    O4 - HKLM\..\Run: [ybqharif] C:\WINDOWS\ybqharif.exe
    O4 - HKLM\..\Run: [winmgr.exe] scvhost.exe
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Pdtptf.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\RunServices: [Microsoft NT Update] winexec32.exe
    O4 - HKLM\..\RunServices: [winmgr.exe] scvhost.exe
    O4 - HKCU\..\Run: [Microsoft NT Update] winexec32.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106601979203
    O16 - DPF: {952C5C34-B6D2-4786-A941-FBFE2913D60A} (FSCrm Control) - http://roundrock/ti/fsCtrls.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = austinhq.touchintl.com
    O17 - HKLM\Software\..\Telephony: DomainName = austinhq.touchintl.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = austinhq.touchintl.com
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: MAPICS Validation Service - Unknown - C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe
    O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
     

    Attached Files:

  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    DSO Fix http://www.majorgeeks.com/download4392.html

    Print this and boot to safe mode
    Fix these with HJT

    O4 - HKLM\..\Run: [Microsoft NT Update] winexec32.exe

    O4 - HKLM\..\Run: [ybqharif] C:\WINDOWS\ybqharif.exe

    O4 - HKLM\..\Run: [winmgr.exe] scvhost.exe

    O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\Pdtptf.exe

    O4 - HKLM\..\RunServices: [Microsoft NT Update] winexec32.exe

    O4 - HKLM\..\RunServices: [winmgr.exe] scvhost.exe

    O4 - HKCU\..\Run: [Microsoft NT Update] winexec32.exe


    View Hidden Files
    Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
    Make sure that "Show hidden files and folders" is checked.
    Also uncheck "Hide protected operating system files".
    Now click "Apply to all folders", Click "Apply" then "OK"

    Delete these files

    C:\WINDOWS\system32\winexec32.exe
    C:\WINDOWS\system32\Pdtptf.exe
    C:\WINDOWS\ybqharif.exe

    Search for scvhost.exe to delete – MAKE SURE IT IS SCV and NOT svc


    START – RUN – key in %temp% - Edit – Select all – File – Delete
    Empty the recycle bin
    Boot and post a new log
     
  3. GSTI

    GSTI Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    14
    Thanks for the quick response!

    DELETED C:\WINDOWS\system32\winexec32.exe
    NOT FOUND IN SEARCH C:\WINDOWS\system32\Pdtptf.exe
    NOT FOUND IN SEARCH C:\WINDOWS\ybqharif.exe

    NOT FOUND IN SEARCH Search for scvhost.exe to delete – MAKE SURE IT IS SCV and NOT svc

    Logfile of HijackThis v1.99.0
    Scan saved at 3:19:17 PM, on 2/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\SYSTEM32\userinit.exe
    C:\Documents and Settings\gspidle\Desktop\HijackThis.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\svchost.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKCU\..\Run: [Microsoft NT Update] winexec32.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106601979203
    O16 - DPF: {952C5C34-B6D2-4786-A941-FBFE2913D60A} (FSCrm Control) - http://roundrock/ti/fsCtrls.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = austinhq.touchintl.com
    O17 - HKLM\Software\..\Telephony: DomainName = austinhq.touchintl.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = austinhq.touchintl.com
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: MAPICS Validation Service - Unknown - C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe
    O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Fix this O4 - HKCU\..\Run: [Microsoft NT Update] winexec32.exe

    boot and a new log
     
  5. GSTI

    GSTI Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    14
    Thanks again.

    Fix this O4 - HKCU\..\Run: [Microsoft NT Update] winexec32.exe

    The above file shows in Normal but not in Safe mode. Still delete in Normal mode?
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    yes, boot and if it comes back

    Download KRC HiJackThis Analyzer into your HiJack folder

    http://www.greyknight17.com/download.htm#programs

    run KRC HijackThis Analyzer to get the result.txt log. Just post the contents of the result.txt file in the forum.
     
  7. GSTI

    GSTI Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    14
    Done. Did not return.

    New Log:

    Logfile of HijackThis v1.99.0
    Scan saved at 4:18:53 PM, on 2/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Documents and Settings\gspidle\Desktop\HijackThis.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SYSTEM32\userinit.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106601979203
    O16 - DPF: {952C5C34-B6D2-4786-A941-FBFE2913D60A} (FSCrm Control) - http://roundrock/ti/fsCtrls.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = austinhq.touchintl.com
    O17 - HKLM\Software\..\Telephony: DomainName = austinhq.touchintl.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = austinhq.touchintl.com
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: MAPICS Validation Service - Unknown - C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe
    O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Clean - IF you feel it is fixed, mark it solved via thread tools above
     
  9. GSTI

    GSTI Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    14
    Thanks.
    DSO gone.
    SpyBot still finds n-Case, I-SearchTech.Powerscan, IsearchTech.Slotch
    Same results upon reboot.

    Logfile of HijackThis v1.99.0
    Scan saved at 5:23:07 PM, on 2/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\gspidle\Desktop\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106601979203
    O16 - DPF: {952C5C34-B6D2-4786-A941-FBFE2913D60A} (FSCrm Control) - http://roundrock/ti/fsCtrls.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = austinhq.touchintl.com
    O17 - HKLM\Software\..\Telephony: DomainName = austinhq.touchintl.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = austinhq.touchintl.com
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: MAPICS Validation Service - Unknown - C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe
    O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
     
  10. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    AdAware SE 1.05 http://www.majorgeeks.com/download506.html, check for updates and fix all it says

    Istsvc http://securityresponse.symantec.com/avcenter/FxIstbar.exe

    From Symantec
    Note:
    · The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.
    · The removal tool may terminate Internet Explorer and Windows Explorer. It is recommended that users save their work and log out of these programs before running the removal tool.
    · The removal tool will reset the Internet start page to a blank page. The start page can be modified by clicking on Tools > Internet Options in Internet Explorer.
    · The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Setings\Administrator\Local Settings\Temporary Internet Files.
    These can be manually deleted using the following steps:
    a. Start Internet Explorer.
    b. Click Tools > Internet Options.
    c. In the Temporary Internet Files section, then click the Delete Files button.
    d. Check Delete all offline content, and then click OK.
     
  11. GSTI

    GSTI Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    14
    OK We are VERY close. The only thing that still shows is n-case in SpyBot. Any suggestions?

    Logfile of HijackThis v1.99.0
    Scan saved at 1:43:13 PM, on 2/14/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\WINDOWS\System32\igfxtray.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    C:\Program Files\Nikon\NkView6\NkvMon.exe
    C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\gspidle\Desktop\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1106601979203
    O16 - DPF: {952C5C34-B6D2-4786-A941-FBFE2913D60A} (FSCrm Control) - http://roundrock/ti/fsCtrls.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = austinhq.touchintl.com
    O17 - HKLM\Software\..\Telephony: DomainName = austinhq.touchintl.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = austinhq.touchintl.com
    O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: MAPICS Validation Service - Unknown - C:\Program Files\Common Files\Frontstep Shared\Service\FSValidationSvc.exe
    O23 - Service: Kerio Personal Firewall 4 - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Where does it say it is?
     
  13. GSTI

    GSTI Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    14
    If you look at the Word spreadsheet from my origanal post, you'll see its under the Salm directory. There are two entries where its found.

    Thanks
     
  14. GSTI

    GSTI Thread Starter

    Joined:
    Feb 11, 2005
    Messages:
    14
    Just checking in , any suggestions?
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Where is the Salm directory? That picture is pretty blurry.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - SpyBot cleaning total
  1. jllp
    Replies:
    6
    Views:
    526
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/329334

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice