1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Stopguard and Winfirewall hell

Discussion in 'Virus & Other Malware Removal' started by jobrown, Sep 5, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. jobrown

    jobrown Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    2
    Hello,
    I keep getting the stopguard and winfirewall pop-ups and since they first showed, my system has been sluggish. I ran HijackThis (and also tried the AdAware, Spybot, and Symantec scans) to no avail. Please help. I'm not computer illiterate, but I'm close...
    Thanks in advance!!!

    Logfile of HijackThis v1.98.2
    Scan saved at 10:53:34 PM, on 9/5/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\WINDOWS\Tasks\svckb.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\eFax Messenger Plus\HotTray.exe
    C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,69,00.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://government.dellnet.com/
    O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\Me\LOCALS~1\Temp\bkcvs.dat
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [svckb] C:\WINDOWS\Tasks\svckb.exe
    O4 - HKLM\..\Run: [*svckb] C:\WINDOWS\Tasks\svckb.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\RunOnce: [*svckb] C:\WINDOWS\Tasks\svckb.exe rerun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\inf\cabexp.exe ren
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094159991374
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    rescan once again with hijack then put a check next to each of the following listed items. Then close all browser windows and click"fix checked"

    O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\Me\LOCALS~1\Temp\bkcvs.dat

    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe

    O4 - HKLM\..\Run: [svckb] C:\WINDOWS\Tasks\svckb.exe

    O4 - HKLM\..\Run: [*svckb] C:\WINDOWS\Tasks\svckb.exe

    O4 - HKLM\..\RunOnce: [*svckb] C:\WINDOWS\Tasks\svckb.exe rerun

    O4 - HKCU\..\RunOnce: [*MS Setup] C:\WINDOWS\inf\cabexp.exe ren



    Now reboot into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55


    Open windows explorer, find then delete:
    C:\WINDOWS\inf\cabexp.exe
    C:\WINDOWS\Updreg.exe
    C:\WINDOWS\Tasks\svckb.exe

    Reboot, rescan with hijack then post an updated logfile please.
     
  3. jobrown

    jobrown Thread Starter

    Joined:
    Sep 5, 2004
    Messages:
    2
    Thanks for helping. I did as you suggested and this is my new scan...

    Logfile of HijackThis v1.98.2
    Scan saved at 12:54:09 AM, on 9/6/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Logitech\iTouch\iTouch.exe
    C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    C:\Program Files\ahead\InCD\InCD.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    C:\WINDOWS\Tasks\svckb.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\eFax Messenger Plus\HotTray.exe
    C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://government.dellnet.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/v5/home/0,1793,69,00.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.rr.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://government.dellnet.com/
    O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\Me\LOCALS~1\Temp\bkcvs.dat
    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
    O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [*svckb] C:\WINDOWS\Tasks\svckb.exe
    O4 - HKLM\..\RunOnce: [*svckb] C:\WINDOWS\Tasks\svckb.exe rerun
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = ?
    O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
    O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1094159991374
     
  4. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Rescan and put a check next to the following then close all br0owser windows and click "fix checked"

    O2 - BHO: CATLEvents Object - {F32F8ECD-6CF3-459D-82F2-9738392C85A8} - C:\DOCUME~1\Me\LOCALS~1\Temp\bkcvs.dat

    O4 - HKLM\..\Run: [*svckb] C:\WINDOWS\Tasks\svckb.exe

    O4 - HKLM\..\RunOnce: [*svckb] C:\WINDOWS\Tasks\svckb.exe rerun


    Then reboot into safe mode http://dotcomsecurity.org/forums/index.php?showtopic=55

    Set the system to show hidden files and folders http://dotcomsecurity.org/forums/index.php?showtopic=57


    Then open windows explorer to find then delete:
    C:\WINDOWS\Tasks\svckb.exe
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/270635

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice