Virus Keeps Coming Back

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Neil Miller

Thread Starter
Joined
Sep 3, 2005
Messages
23
Hi - I recently got infected with a virus that added options to my toolbar (Fresh Search) which I managed to fix thanks to the help I saw posted here, but I still keep getting pop-ups and infections - SearchToolbar, Spyware.Msnagent and DownLoader.Trojan being the most recent. None of the anti-spyware, pop-up blockers or anti virus programs I have can stop the reinfections.

I have gone into safe made, used CWShredder, CClean, Kill2Me, HSRemove and Stinger. Also RAVAntivirus online scan, Bitdefender online scan, AdAware SEplus and Norton Antivrus. I used Silent Runners and found some suspect entries, which I edited out of the registry using Registrar Lite, and I used Hijack This to find and fix some other suspicious entries.

But they all keep coming back, in one form or another. Not crippling like before, but really annoying!

Below is a recent Silent Runners report, followed by a HiJack This report:




"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"NvMediaCenter" = "RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"NBJ" = ""D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]
"AWMON" = ""D:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"" ["Lavasoft Sweden"]
"Spyware Doctor" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"NvCplDaemon" = "RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup" [MS]
"SymTray - Norton SystemWorks" = "D:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg" ["Symantec Corporation"]
"URLLSTCK.exe" = "D:\Program Files\Norton Internet Security Professional\UrlLstCk.exe" ["Symantec Corporation"]
"Advanced Tools Check" = "D:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE" ["Symantec Corporation"]
"SSC_UserPrompt" = "D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"NeroFilterCheck" = "D:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"FLMK08KB" = "D:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE" [empty string]
"PCLEPCI" = "D:\PROGRA~1\PINNACLE\PPE\ppe.exe" ["Pinnacle Systems GmbH"]
"Symantec NetDriver Monitor" = "D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"InCD" = "D:\Program Files\Ahead\InCD\InCD.exe" ["Ahead Software AG"]
"ccApp" = ""D:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"GhostStartTrayApp" = "D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [file not found]
"ntje32.exe" = "D:\WINNT\ntje32.exe" [file not found]
"crqw32.exe" = "D:\WINNT\system32\crqw32.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"SymTray - Norton SystemWorks" = "D:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll" ["PC Tools"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "d:\program files\google\googletoolbar2.dll" ["Google Inc."]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{8f7261d0-d2b9-11d2-9909-00605205b24c}" = "CuteFTP Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE\CuteFTP\CuteShell.dll" ["GlobalSCAPE, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "cshbm.exe" [file not found]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
CuteFTP\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"
-> {CLSID}\InProcServer32\(Default) = "D:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE\CuteFTP\CuteShell.dll" ["GlobalSCAPE, Inc."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
CuteFTP\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"
-> {CLSID}\InProcServer32\(Default) = "D:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE\CuteFTP\CuteShell.dll" ["GlobalSCAPE, Inc."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "D:\Documents and Settings\Default User\My Documents\My Pictures\vp_CSmillie13.jpg"


Startup items in "sysop2" & "All Users" startup folders:
--------------------------------------------------------

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Pinnacle Scheduler" -> shortcut to: "D:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe" ["Pinnacle Systems GmbH, Braunschweig"]
"EPSON Status Monitor 3 Environment Check 2" -> shortcut to: "D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE" ["SEIKO EPSON CORPORATION"]


Enabled Scheduled Tasks:
------------------------

"Norton SystemWorks One Button Checkup" -> launches: "D:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "D:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe /task:"D:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "D:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "d:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "d:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "d:\program files\google\googletoolbar2.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{A349A035-E26F-454B-ABB4-5208E50E1BE7}\
"ButtonText" = "ToolbarCop"
"MenuText" = "ToolbarCop"
"Exec" = "C:\unzipped\toolbarcop\Toolbarcop.exe" [null data]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]

{85D1F590-48F4-11D9-9669-0800200C9A66}\
"MenuText" = "Uninstall BitDefender Online Scanner v8"
"Exec" = "%windir%\bdoscandel.exe" [null data]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

EPSON Printer Status Agent2, EPSONStatusAgent2, "D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
ewido security suite control, ewido security suite control, "D:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
GhostStartService, GhostStartService, "D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE" ["Symantec Corporation"]
InCD Helper, InCDsrv, "D:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
Norton AntiVirus Auto Protect Service, navapsvc, ""D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "D:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SAVScan, SAVScan, "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""D:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 140 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 18 seconds.
---------- (total run time: 195 seconds)







Logfile of HijackThis v1.99.1
Scan saved at 11:47:50, on 03/09/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\csrss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
D:\WINNT\system32\MSTask.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\SymTray.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Trust\305KS\Keyboard\KbdAp32A.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINNT\system32\internat.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
D:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Common Files\Symantec Shared\nmain.exe
D:\PROGRA~1\NORTON~2\NORTON~1\navw32.exe
D:\Documents and Settings\Administrator\Desktop\Spyware tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.giointernet.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [URLLSTCK.exe] D:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FLMK08KB] D:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [PCLEPCI] D:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [ntje32.exe] D:\WINNT\ntje32.exe
O4 - HKLM\..\Run: [crqw32.exe] D:\WINNT\system32\crqw32.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = D:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\unzipped\toolbarcop\Toolbarcop.exe (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\unzipped\toolbarcop\Toolbarcop.exe (HKCU)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123009188968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3542492-6015-454B-97ED-24175188D713}: NameServer = 195.95.218.5,85.255.112.13
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


I run a dual OS, which explains why the current drive is D: rather than C: I have also booted into the OS and ran virus scans from there (for some reason some of the antivirus programs on D: - even in safe mode - run pitifully slowly or not at all - Norton Internet Professional seems to be woefully inadequate, and Spyware Doctor takes a few hours to complete - if it doesn't freeze. I have has SpyBot, SpywareBlaster and AdAware SEplus on my system for a long while, but they have not helped either.

Any help at all would be very gratefully received!

All the best,
Neil.
 
Joined
Feb 15, 2004
Messages
12,302
hi, welcome to TSG.


You will need to download the following tools and have them ready to run.
Do not run any of them until instructed to do so:

Click: http://castlecops.com/zx/flrman1/cwsserviceremove.zip to download
cwsserviceremove.zip and unzip it to your desktop.


download cleanup


http://cleanup.stevengould.org/

Download Killbox here: http://www.thespykiller.co.uk/files/killbox.exe and
save it to your desktop.

Click here: http://cwshredder.net/bin/CWSInstall.exe to download
CWSinstall.exe to the desktop.

Click: http://www.downloads.subratam.org/AboutBuster.zip to download
AboutBuster created by Rubber Ducky.

Unzip AboutBuster to the Desktop then click the "Update Button" then click
"Check for Update" and download the updates and then click "Exit" because I
don't want you to run it yet. Just get the updates so it is ready to run
later in safe mode.


Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden
files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View
tab and make sure that "Show hidden files and folders" is checked. Also
uncheck "Hide protected operating system files" and "Hide extensions for
known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


______________________________________________________________________

Sign off the Internet and remain offline until this procedure is complete.
Unplug your modem or disconnect the cable or phone line. Copy these
instructions to notepad and save them on your desktop for easy access. You
must follow these directions exactly and you cannot skip any part of it.
______________________________________________________________________



Restart to safe mode.

http://service1.symantec.com/SUPPOR...001052409420406

Perform the following steps in safe mode:
____________________________________________________________________

Double click on the cwsserviceemove.reg file you downloaded at the beginning to enter into the registry. Answer yes when asked to have its contents added to the registry.
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis.
DO NOT OPEN ANYTHING ELSE!



Put a check by these entries in Hijack This and click the "Fix Checked"
button:


O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ntje32.exe] D:\WINNT\ntje32.exe
O4 - HKLM\..\Run: [crqw32.exe] D:\WINNT\system32\crqw32.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)



Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


D:\WINNT\ntje32.exe
D:\WINNT\system32\crqw32.exe
D:\WINNT\system32\cshbm.exe
D:\WINNT\cshbm.exe



find and delete these files and folders if there?


Because XP will not always show you hidden files and folders by default,
Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden
files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View
tab and make sure that "Show hidden files and folders" is checked. Also
uncheck "Hide protected operating system files" and "Hide extensions for
known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"


cshbm.exe
___________________________________________________________________


Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start,
then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix"
(Not "Scan only") and let it do its thing.


_______________________________________________________________________



Now run cleanup

_______________________________________________________________________

In safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and
go to Edit > Select All then Edit > Delete to delete the entire contents of
the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open.
Click Edit > Select All then Edit > Delete to delete the entire contents of
the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under
"Temporary Internet Files" Click "Delete Files". Put a check by "Delete
Offline Content" and click OK. Click on the Programs tab then click the
"Reset Web Settings" button. Click Apply then OK.
_______________________________________________________________________



Boot back into Windows now.



Go to: http://housecall.trendmicro.com/ and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan.
If it finds anything that it cannot clean have it delete it or make a note
of the file location so you can delete it yourself. Housecall will detect
the leftover files from this hijacker.


This hijacker is known to alter or delete certain files so check this out
please:

Download the Hoster from:
http://www.funkytoad.com/download/hoster.zip UnZip
the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file. Go
to: http://www.spywareinfo.com/~merijn/winfiles.html and download
SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the C:\Windows\system32 folder to be sure you have a file named
Shell.dll. If you do not have one, go to the C:\Windows\system32\dllcache
folder.

Find shell.dll and right click on it. Choose Copy from the menu.
Open the System32 folder and right click on an empty space in the window.
Choose Paste from the menu. Otherwise, you can download following the
instructions here: http://www.bleepingcomputer.com/files/shellxp.php


control.exe may have been deleted.
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go to:
http://www.richardthelionhearted.co...es.html#control, and download
control.exe per the instructions at the site.

IMPORTANT!: Please check your ActiveX security settings. They may have been
changed by this CWS variant to allow ALL ActiveX!! Reset your ActiveX security settings like so... Go to Internet Options > Security > Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options (Download signed and
unsigned ActiveX
controls) to 'prompt', and 'Initialize and Script ActiveX controls not
marked as safe" to 'disable'.




download FindT

http://bilder.informationsarchiv.net/Nikitas_Tools/FindT.zip



- Extract the files to a folder in C:\ of your choice.
- open the "FindT" folder and run the runthis.bat file
- a text will open post the results


Download rkfiles

http://skads.org/special/rkfiles.zip

and unzip the contents to a new folder on your desktop.


* Unzip RKfiles.zip to the desktop
* Double-click RKFiles.bat to run it.
o It may take a while.
* When it is finished a window should appear with a log.
* Please copy the contents of the log and paste them here
o Note: the log with be saved at c:\log.txt



post another hijack this log, the rkfiles and Find T logs
 
Joined
Feb 15, 2004
Messages
12,302
also run ewido in safe mode before fixing with hiajck this, so some of those files might be missing when you come to fix them with hijack this!
 

Neil Miller

Thread Starter
Joined
Sep 3, 2005
Messages
23
Thanks Khazars.

Followed all your steps in order. Some notes I made along the way:

1. Killbox did not find any files.
2. CW Shredder found no infected files.
3. Shell.dll was present.
4. control.exe was present.

The FindT report was empty - here is the content of the text file it generated:


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

It did generate a huge amount of info in the DOS box it opened, but I couldn't copy any of that stuff - didn't how to cut and paste it.

This is the rkfiles log:


D:\Documents and Settings\Administrator\Desktop\Spyware tools\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
D:\WINNT\RMAgentOutput.dll: UPX!
D:\WINNT\tsc.exe: UPX!
D:\WINNT\vsapi32.dll: UPX!t4
Finished
bye

And finally the Hijack This log:




Logfile of HijackThis v1.99.1
Scan saved at 17:57:01, on 03/09/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\csrss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
D:\WINNT\system32\MSTask.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\SymTray.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINNT\system32\internat.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\Trust\305KS\Keyboard\KbdAp32A.exe
D:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\PROGRA~1\WINZIP\winzip32.exe
D:\WINNT\system32\NOTEPAD.EXE
D:\Documents and Settings\Administrator\Desktop\Spyware tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.giointernet.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [URLLSTCK.exe] D:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [FLMK08KB] D:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [PCLEPCI] D:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ntje32.exe] D:\WINNT\ntje32.exe
O4 - HKLM\..\Run: [crqw32.exe] D:\WINNT\system32\crqw32.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = D:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\unzipped\toolbarcop\Toolbarcop.exe (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\unzipped\toolbarcop\Toolbarcop.exe (HKCU)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123009188968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3542492-6015-454B-97ED-24175188D713}: NameServer = 195.95.218.5,85.255.112.13
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Thanks again,
Neil.
 
Joined
Feb 15, 2004
Messages
12,302
Is your computer running any better?


As you Paste each entry into Killbox, place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!


D:\WINNT\RMAgentOutput.dll


Run an online antivirus check from

http://www.kaspersky.com/virusscanner

you will need to input a name
and email adress but anyone will do & then acccept an active X control IT IS
SAFE to do so LET IT FIX WHATEVER IT FINDS

reboot again post a fresh HJT log




post another log and the kaspersky
 

Neil Miller

Thread Starter
Joined
Sep 3, 2005
Messages
23
Hi Khazars,

Yes - it is running much better, thankyou!

However, before I got your reply, Ewido came up with two instances of:

Trojan.DNSchanger.u

both located in WINNT\system32\ as yaemu.exe and hgqhp.exe

and Norton found:

Downloader.Trojan

I did the killbox thing on the dll file as you instructed, then ran an online scan with Kaspersky, which only found infections in my Norton Antivirus quarantine and Norton-deleted email:

Trojan_Spy.HTML.Bankfraud.hs
Trojan_spy.HTML.usbankfraud.p

So I won't bother you with this logfile. Here is the HJack This file:



Logfile of HijackThis v1.99.1
Scan saved at 14:11:12, on 05/09/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\csrss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINNT\System32\svchost.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
D:\Program Files\ewido\security suite\ewidoguard.exe
D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
D:\Program Files\Ahead\InCD\InCDsrv.exe
D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINNT\System32\nvsvc32.exe
D:\WINNT\system32\regsvc.exe
D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
D:\WINNT\system32\MSTask.exe
D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINNT\system32\stisvc.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\WINNT\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\SymTray.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\Program Files\Trust\305KS\Keyboard\KbdAp32A.exe
D:\WINNT\system32\internat.exe
D:\WINNT\system32\RUNDLL32.EXE
D:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Outlook Express\msimn.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\ewido\security suite\securitysuite.exe
D:\WINNT\system32\NOTEPAD.EXE
D:\Documents and Settings\Administrator\Desktop\Spyware tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.giointernet.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [URLLSTCK.exe] D:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [FLMK08KB] D:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [PCLEPCI] D:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ntje32.exe] D:\WINNT\ntje32.exe
O4 - HKLM\..\Run: [crqw32.exe] D:\WINNT\system32\crqw32.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = D:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\unzipped\toolbarcop\Toolbarcop.exe (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\unzipped\toolbarcop\Toolbarcop.exe (HKCU)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123009188968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3542492-6015-454B-97ED-24175188D713}: NameServer = 195.95.218.5,85.255.112.13
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I have a query about these two files:

ntje32.exe
crqw32.exe

They appear in the HJT log, even though you had me delete them. I have tried to do a google search on them, but can't find any info on whether they are legit files or not.

Regards,
Neil.
 
Joined
Feb 15, 2004
Messages
12,302
Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php


Copy the contents of the below Quote Box to Notepad. Then click File and then
Save As. Change the Save as Type to All Files. Name the file fixit.reg and
then click save. (make sure you save it somewhere you can find it. Saving it
to your Desktop may make that easy.) Then double-click on the fixit.reg file
on your desktop (or locate it with Windows Explorer and double click on it if
not saved to the Desktop) and when it prompts to Add in to the registry, say
yes



REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""

After the merged successfully prompt, please reboot your computer.


* Click here for info on how to boot to safe mode if you don't already know
how.

http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You
will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in
safe mode:



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.


O4 - HKLM\..\Run: [ntje32.exe] D:\WINNT\ntje32.exe
O4 - HKLM\..\Run: [crqw32.exe] D:\WINNT\system32\crqw32.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3542492-6015-454B-97ED-24175188D713}: NameServer = 195.95.218.5,85.255.112.13



Double-click on Killbox.exe to run it. Now put a tick by Delete on
Reboot. In the "Full Path of File to Delete" box, copy and paste each
of the following lines one at a time then click on the button that has
the red circle with the X in the middle after you enter each file.
It will ask for confimation to delete the file on next reboot. Click
Yes. It will then ask if you want to reboot now. Click No. Continue
with that same procedure until you have copied and pasted all of
these in the "Paste Full Path of File to Delete" box.Then click yes
to reboot after you entered the last one.


Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


D:\WINNT\ntje32.exe
D:\WINNT\system32\crqw32.exe
D:\WINNT\system32\hgqhp.exe
D:\WINNT\system32\yaemu.exe
D:\WINNT\RMAgentOutput.dll



reboot back to safe mode and download and run these progs!



download FindT

http://bilder.informationsarchiv.ne...Tools/FindT.zip



- Extract the files to a folder in C:\ of your choice.
- open the "FindT" folder and run the runthis.bat file
- a text will open post the results


Right click on

http://www.silentrunners.org/Silent Runners.vbs

and choose Save As...Save it to your Desktop. Make sure you have disabled any programs
that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double
click on 'Silent Runners' to run it. This will take a few minutes. It will
create a file called 'Startup Programs' followed by your computer name and
current date. Open up that file and post all the contents here in your next
post..ph...=post&id=134981 and save it to your Desktop.




Download rkfiles

http://skads.org/special/rkfiles.zip

and unzip the contents to a new folder on your desktop.


* Unzip RKfiles.zip to the desktop
* Double-click RKFiles.bat to run it.
o It may take a while.
* When it is finished a window should appear with a log.
* Please copy the contents of the log and paste them here
o Note: the log with be saved at c:\log.txt




post the rkfiles log, the silent runners and the find T logs, post another hijack this with it!
 

Neil Miller

Thread Starter
Joined
Sep 3, 2005
Messages
23
Hello Khazars - that was quick! Thankyou.

Are you sure about removing the 017 entry?

I did try that once before, and i could not access the internet at all, so I had to reinstall the entry.

Regards,
Neil.
 
Joined
Feb 15, 2004
Messages
12,302
I'm pretty sure that it's a rogue entry linked to the infection you have? If I'm wrong and you remove it, you can go into hijack this' backups and restore that entry!
 

Neil Miller

Thread Starter
Joined
Sep 3, 2005
Messages
23
Ok, will do. I have just tried to merge the registry script with the registry. I got an error message something like

"cannot merge.......not a registry script....you can only import registry scripts."

I did not copy the "REGEDIT4" bit though - will that make a difference? Everything else I did exactly like you said.

Regards,
Neil.
 
Joined
Feb 15, 2004
Messages
12,302
yes you have to copy the regedit4 bit with the rest!


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=-
"System"=""
 
Joined
Feb 15, 2004
Messages
12,302
also, repeat everythign again as you need to do the reg fix first or we will not beable to find the bad files!
 

Neil Miller

Thread Starter
Joined
Sep 3, 2005
Messages
23
Thanks Khazars - it worked that time (stupid me!) and I did everything in order as stated.

I did have to restore the 017 key, as I could not connect to the internet without.




RKfiles log:

D:\Documents and Settings\Administrator\Desktop\Spyware tools\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
D:\WINNT\tsc.exe: UPX!
D:\WINNT\vsapi32.dll: UPX!t4
Finished
bye

FindT next:

NB: Just like last time, it only produced a couple of lines of text. The lines following the announcement in caps were copied and pasted from the DOS window and added to the text file:


PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.



D:\Documents and Settings\Administrator\Desktop\Spyware tools\FindT\Find T>if ex
ist file.txt del file.txt

D:\Documents and Settings\Administrator\Desktop\Spyware tools\FindT\Find T>echo
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be
LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT
IS LEAVE THEM ALONE. 1>>file.txt

D:\Documents and Settings\Administrator\Desktop\Spyware tools\FindT\Find T>echo
+++++ Search by size & name's... 1>>file.txt
+++++ Search by size
'name's...' is not recognized as an internal or external command,
operable program or batch file.

D:\Documents and Settings\Administrator\Desktop\Spyware tools\FindT\Find T>echo.
1>>file.txt

D:\Documents and Settings\Administrator\Desktop\Spyware tools\FindT\Find T>LOCAT
E D:\WINNT\System32\*.exe /D- /D:T-10M /S:55304! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\*.e
xe /D- /D:5-11-03! /S:43528! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\*.e
xe /D- /D:T-10M /S:4096! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\*.e
xe /D- /D:6-19-03! /S:43528! /NR /N 1>>file.txt

/D+ find Directories only
/D- files only, no Directories
/D both files and Directories (default)

/D:[start][,end] only Dates in range
/D:date! only one specific date
/D:T only items dated today

/US show dates in US format: Jan 31 1996
/UK show dates in UK format: 31 Jan 1996
/UJ show dates in ISO format: 1996-01-31

Local date format: DD-MM-YYYY

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\*.e
xe /D- /D:T-10M /S:28680! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\*.e
xe /D- /D:6-19-03! /S:11264! /NR /N 1>>file.txt

/D+ find Directories only
/D- files only, no Directories
/D both files and Directories (default)

/D:[start][,end] only Dates in range
/D:date! only one specific date
/D:T only items dated today

/US show dates in US format: Jan 31 1996
/UK show dates in UK format: 31 Jan 1996
/UJ show dates in ISO format: 1996-01-31

Local date format: DD-MM-YYYY

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\*.e
xe /D- /D:T-10M /S:43528! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\*.r
en /D- /D:T-10M /S:43528! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\ntf
snlpa.exe /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\cis
vvc.exe /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\drv
2cltr.dll /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\hyb
sys32.dll /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\loa
dctr.exe /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\rds
ndin.exe /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\pxp
cya64.exe /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\*.exe
/D- /D:T-10M /S:55304! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\*.exe
/D- /D:5-11-03! /S:43528! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\*.exe
/D- /D:T-10M /S:4096! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\*.exe
/D- /D:6-19-03! /S:43528! /NR /N 1>>file.txt

/D+ find Directories only
/D- files only, no Directories
/D both files and Directories (default)

/D:[start][,end] only Dates in range
/D:date! only one specific date
/D:T only items dated today

/US show dates in US format: Jan 31 1996
/UK show dates in UK format: 31 Jan 1996
/UJ show dates in ISO format: 1996-01-31

Local date format: DD-MM-YYYY

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\*.exe
/D- /D:T-10M /S:28680! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\*.exe
/D- /D:6-19-03! /S:11264! /NR /N 1>>file.txt

/D+ find Directories only
/D- files only, no Directories
/D both files and Directories (default)

/D:[start][,end] only Dates in range
/D:date! only one specific date
/D:T only items dated today

/US show dates in US format: Jan 31 1996
/UK show dates in UK format: 31 Jan 1996
/UJ show dates in ISO format: 1996-01-31

Local date format: DD-MM-YYYY

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\*.exe
/D- /D:T-10M /S:43528! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\ntfsn
lpa.exe /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\cisvv
c.exe /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\drv2c
ltr.dll /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\hybsy
s32.dll /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\loadc
tr.exe /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System\rdsnd
in.exe /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\System32\pxp
cya64.exe /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\*.exe /D- /D
:T-10M /S:55304! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\*.exe /D- /D
:T-10M /S:43528! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\*.exe /D- /D
:T-10M /S:4096! /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\rdt.ini /NR
/N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\balloon.wav
/NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\WINNT\startm~1\pro
grams\startup\*.exe /NR /N 1>>file.txt

D:\DOCUME~1\ADMINI~1\Desktop\SPYWAR~1\FindT\FINDT~1>LOCATE D:\docume~1\alluse~1\
startm~1\programs\startup\*.exe /NR /N 1>>file.txt

HiJack This follows:



Logfile of HijackThis v1.99.1
Scan saved at 18:39:49, on 05/09/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\userinit.exe
D:\WINNT\Explorer.EXE
D:\WINNT\system32\NOTEPAD.EXE
D:\Documents and Settings\Administrator\Desktop\Spyware tools\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ebay.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.giointernet.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg
O4 - HKLM\..\Run: [URLLSTCK.exe] D:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] D:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [FLMK08KB] D:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [PCLEPCI] D:\PROGRA~1\PINNACLE\PPE\ppe.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ntje32.exe] D:\WINNT\ntje32.exe
O4 - HKLM\..\Run: [crqw32.exe] D:\WINNT\system32\crqw32.exe
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] D:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [NBJ] "D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AWMON] "D:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Pinnacle Scheduler.lnk = D:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://d:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://d:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\unzipped\toolbarcop\Toolbarcop.exe (HKCU)
O9 - Extra 'Tools' menuitem: ToolbarCop - {A349A035-E26F-454b-ABB4-5208E50E1BE7} - C:\unzipped\toolbarcop\Toolbarcop.exe (HKCU)
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple.com/iTunes4/WW/win/019-0312.20050111.MmVrT/iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123009188968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} (webhelper Class) - http://register.btinternet.com/templates/btwebcontrol023.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3542492-6015-454B-97ED-24175188D713}: NameServer = 195.95.218.5,85.255.112.13
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - D:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - D:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GhostStartService - Symantec Corporation - D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - D:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Finally, I ran out of space (exceeded posting length on this message) so i will post the Silent Runners file directly after posting this lot.






Once again, thanks for your time and efforts!
Regards,

Neil.
 

Neil Miller

Thread Starter
Joined
Sep 3, 2005
Messages
23
Here is the Silent runners file missing from the last posting:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"NvMediaCenter" = "RUNDLL32.EXE D:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit" [MS]
"NBJ" = ""D:\Program Files\Ahead\Nero BackItUp\NBJ.exe"" ["Ahead Software AG"]
"AWMON" = ""D:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"" ["Lavasoft Sweden"]
"Spyware Doctor" = (empty string)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"NvCplDaemon" = "RUNDLL32.EXE D:\WINNT\System32\NvCpl.dll,NvStartup" [MS]
"SymTray - Norton SystemWorks" = "D:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg" ["Symantec Corporation"]
"URLLSTCK.exe" = "D:\Program Files\Norton Internet Security Professional\UrlLstCk.exe" ["Symantec Corporation"]
"Advanced Tools Check" = "D:\PROGRA~1\NORTON~2\NORTON~1\AdvTools\ADVCHK.EXE" ["Symantec Corporation"]
"SSC_UserPrompt" = "D:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"FLMK08KB" = "D:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE" [empty string]
"PCLEPCI" = "D:\PROGRA~1\PINNACLE\PPE\ppe.exe" ["Pinnacle Systems GmbH"]
"Symantec NetDriver Monitor" = "D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"ccApp" = ""D:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"GhostStartTrayApp" = "D:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe" [file not found]
"NeroFilterCheck" = "D:\WINNT\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"QuickTime Task" = ""D:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"InCD" = "D:\Program Files\Ahead\InCD\InCD.exe" ["Ahead Software AG"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ {++}
"SymTray - Norton SystemWorks" = "D:\Program Files\Common Files\Symantec Shared\Symtrdr.exe" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll" ["PC Tools"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "d:\program files\google\googletoolbar2.dll" ["Google Inc."]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "D:\WINNT\System32\nvshell.dll" ["NVIDIA Corporation"]
"{57C51AF9-DEF7-11D3-A801-00C04F163490}" = "Ghost Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton SystemWorks\Norton Ghost\GhoShExt.dll" ["Symantec Corporation"]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{950FF917-7A57-46BC-8017-59D9BF474000}" = "Shell Extension for CDRW"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Ahead\InCD\incdshx.dll" ["Ahead Software AG"]
"{8f7261d0-d2b9-11d2-9909-00605205b24c}" = "CuteFTP Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE\CuteFTP\CuteShell.dll" ["GlobalSCAPE, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
CuteFTP\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"
-> {CLSID}\InProcServer32\(Default) = "D:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE\CuteFTP\CuteShell.dll" ["GlobalSCAPE, Inc."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
CuteFTP\(Default) = "{8f7261d0-d2b9-11d2-9909-00605205b24c}"
-> {CLSID}\InProcServer32\(Default) = "D:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE\CuteFTP\CuteShell.dll" ["GlobalSCAPE, Inc."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "D:\Documents and Settings\Default User\My Documents\My Pictures\vp_CSmillie13.jpg"


Startup items in "sysop2" & "All Users" startup folders:
--------------------------------------------------------

D:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Microsoft Office" -> shortcut to: "D:\Program Files\Microsoft Office\Office\OSA9.EXE -b -l" [MS]
"Pinnacle Scheduler" -> shortcut to: "D:\Program Files\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe" ["Pinnacle Systems GmbH, Braunschweig"]
"EPSON Status Monitor 3 Environment Check 2" -> shortcut to: "D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE" ["SEIKO EPSON CORPORATION"]


Enabled Scheduled Tasks:
------------------------

"Norton SystemWorks One Button Checkup" -> launches: "D:\Program Files\Norton SystemWorks\OBC.exe /CUSTOM /SCHEDULE" ["Symantec Corporation"]
"Norton AntiVirus - Scan my computer" -> launches: "D:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exe /task:"D:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "D:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 18
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "d:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "d:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "d:\program files\google\googletoolbar2.dll" ["Google Inc."]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\
{A349A035-E26F-454B-ABB4-5208E50E1BE7}\
"ButtonText" = "ToolbarCop"
"MenuText" = "ToolbarCop"
"Exec" = "C:\unzipped\toolbarcop\Toolbarcop.exe" [null data]

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]


All Non-Disabled Services (Display Name, Service Name, Path {Service DLL}):
---------------------------------------------------------------------------

EPSON Printer Status Agent2, EPSONStatusAgent2, "D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe" ["SEIKO EPSON CORPORATION"]
ewido security suite control, ewido security suite control, "D:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "D:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
GhostStartService, GhostStartService, "D:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE" ["Symantec Corporation"]
InCD Helper, InCDsrv, "D:\Program Files\Ahead\InCD\InCDsrv.exe" ["Ahead Software AG"]
Logical Disk Manager Administrative Service, dmadmin, "D:\WINNT\System32\dmadmin.exe /com" ["VERITAS Software Corp."]
Network DDE DSDM, NetDDEdsdm, "D:\WINNT\system32\netdde.exe" [MS]
Norton AntiVirus Auto Protect Service, navapsvc, ""D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Norton Unerase Protection, NProtectService, "D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" ["Symantec Corporation"]
NVIDIA Display Driver Service, NVSvc, "D:\WINNT\System32\nvsvc32.exe" ["NVIDIA Corporation"]
SAVScan, SAVScan, "D:\Program Files\Norton Internet Security Professional\Norton AntiVirus\SAVScan.exe" ["Symantec Corporation"]
ScriptBlocking Service, SBService, "D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe" ["Symantec Corporation"]
Speed Disk service, Speed Disk service, "D:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe" ["Symantec Corporation"]
Symantec Core LC, Symantec Core LC, "D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""D:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Password Validation, ccPwdSvc, ""D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
SymWMI Service, SymWSC, "D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe" ["Symantec Corporation"]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 128 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 5 seconds.
---------- (total run time: 153 seconds)
Regards,
Neil.
 
Joined
Feb 15, 2004
Messages
12,302
aha, turn off adware's adwatch feature as it can interfere with the fixes!



have hijack this fix these entries. close all browsers and programmes before
clicking FIX.



O4 - HKLM\..\Run: [FLMK08KB] D:\Program Files\Trust\305KS\Keyboard\MMKEYBD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ntje32.exe] D:\WINNT\ntje32.exe
O4 - HKLM\..\Run: [crqw32.exe] D:\WINNT\system32\crqw32.exe



Run ActiveScan online virus scan here

http://www.pandasoftware.com/activescan/

When the scan is finished, anything that it cannot clean have it delete it.
Make a note of the file location of anything that cannot be deleted so you
can delete it yourself.
- Save the results from the scan!




Run an online antivirus check from

http://www.kaspersky.com/virusscanner

you will need to input a name
and email adress but anyone will do & then acccept an active X control IT IS
SAFE to do so LET IT FIX WHATEVER IT FINDS

reboot again post a fresh HJT log


post another log , the kaspersky and active scan logs. Can you just post the log instead of putting it in quote boxes as it makes it difficult to read!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Top