Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

N

nsfirechap

31 Posts

47445

December 18th, 2004 22:00

Help with Maleware/Spyware

My Dell 5100 laptop is bombarded with maleware - elite toolbar, Kalvys, and others thant Norton Anti virus cannot remove, Adware & spybot "clean" them but they are still there on the rescan. My IE toolbar has been hijacked and locked to "about blank". I did go to safe mode and removed all the registry entries pertaining to these but still came back. I also reformatted the hard drive and reloaded using the Dell XP restore cd but the buggers are still there. Is there a possibility that they are residing on the partition that Dell tech support says stays there for system restore? Any help anyone can provide will be great and deeply and desperately appreciated.
 
Jeff 
:smileymad::smileymad::smileymad::smileymad::smileymad:

Midnight Star

4.8K Posts

December 18th, 2004 22:00

Jeff,

Follow the directions pinned at the top of this forum and post back a HiJackThis log for review. That way, we can see the extent of what your system has.

Mike.

nsfirechap

31 Posts

December 18th, 2004 23:00

This is what  I came up with:
 
Logfile of HijackThis v1.99.0
Scan saved at 4:16:17 PM, on 12/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\msa.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\crsss.exe
C:\WINDOWS\bsikgj.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [start uploading] crsss.exe
O4 - HKLM\..\Run: [dX28S] C:\WINDOWS\bsikgj.exe
O4 - HKLM\..\Run: [dX28ÏÔ@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\bsikgj.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvvaj32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [start uploading] crsss.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [start uploading] crsss.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\lsp.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103155708825
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)
 
 
I know the entry "Kalvs" is part of the problem but I did not "fix" it - that was one of the registry files I scanned for in safe mode and deleted but it came back!
 
Thanks for the help.
 
 Jeff

Midnight Star

4.8K Posts

December 19th, 2004 00:00

nsfirechamp,
 
There are multiple problems residing on your system, including what looks a trojan or two....
 
 
Let's start here:
 
Go to www.trendmicro.com and click " Free Online Scan". When it's downloaded, select all available drives, then click " Scan".
 
 
Have you tried using AdAware SE Personal and Spybot S&D? Both programs are free to download and use.
 

Download LSPFix, unzip it to your desktop, run it, then:

  • Check(tick) "I know what i'm doing"
  • Click on(highlight) each occurance of lsp.dll, then click ">>", moving it over to the 'Remove' pane.
  • (Double-check and make sure that only lsp.dll, and nothing else, is in the 'Remove' pane.)
  • Click "Finish >>"

Run HiJackThis, then click "Config...", then "Misc Tools", then:

1) Click "Delete a file on reboot"

2) Browse to, then double-click on the following file(s), one at a time, when prompted to 'reboot now', select "No" for all files:

C:\WINDOWS\System32\msa.exe
C:\WINDOWS\System32\crsss.exe
C:\windows\system32\kalvvaj32.exe

(Repeat step 1 & 2 for all the above files...)

Now, reboot your computer into "Safe Mode".

Now, run HiJackThis and click "Scan" then check(tick) the following, if present:

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O4 - HKLM\..\Run: [Windows Media Player] msa.exe
O4 - HKLM\..\Run: [start uploading] crsss.exe
O4 - HKLM\..\Run: [dX28S] C:\WINDOWS\bsikgj.exe
O4 - HKLM\..\Run: [dX28ÏÔ@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\bsikgj.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvvaj32.exe
O4 - HKLM\..\RunServices: [Windows Media Player] msa.exe
O4 - HKLM\..\RunServices: [start uploading] crsss.exe
O4 - HKCU\..\Run: [Windows Media Player] msa.exe
O4 - HKCU\..\Run: [start uploading] crsss.exe
O4 - HKCU\..\RunServices: [start uploading] crsss.exe

O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

Now with all windows closed except HiJackThis, click "Fix checked".

Locate and delete the following item(s), if present. Make sure your ablet to view system and hidden files/ folders:

folders...

C:\Program Files\ISTsvc

files...

 C:\WINDOWS\bsikgj.exe

Reboot your computer normally.

Post back a new log.

Mike.

 

nsfirechap

31 Posts

December 19th, 2004 22:00

WHEW - almost as bad as going into the registry!!!
OK here's what I have - follows is the latest hijack log. After running the instructions I ran adware and had the following entries:
 ist regkey
 istbar regvalue
 search miner (file)
 other (windows\prefetch\kalvehz32.exe
 I hit fix and reran adware and these fiels do not reapear in Adware but I did search the registry and it is chock full of files containing these items.  
 
 Also I searched for each item in windows search and the only one that still comes up is the prefetch KALVEHZ32.exe 
 
 Now what??? (Good thing my desktop isn't acting up)!!! Thanks so much for the help.
 
Logfile of HijackThis v1.99.0
Scan saved at 3:03:03 PM, on 12/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jeff\Desktop\FxIstbar.exe
C:\Program Files\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [dX28ÏÔ@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\bsikgj.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103155708825
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
 

nsfirechap

31 Posts

December 19th, 2004 23:00

I just ran a scan with Norton and got the following files identified as "Maleware" and when I tried to fix them i got the message delete failed:

Bullseye Network\bin\adv.exe

Bullseye network\bin\adx.exe

Bullseye Network/bin\bargains.exe

bb[1].exe

windows/system32/exd/exul

istbar mainstream

javexulm

mwexdlm.srg

msde.dll

sidefind 13[2].dll

 

Thanks again,

Jeff

:smileyindifferent::smileymad::smileysad::smileyindifferent:

 

nsfirechap

31 Posts

December 20th, 2004 02:00

the files now no longer show up when I scan with adware - but show up when I do a norton scan - all the files norton finds norton links them to bullseye network and bargain buddy but can not find those files when I scan the hard drive. Also I still find in the registry files search miner, Kalvs, elitum, etc.
 
 
Jeff   

nsfirechap

31 Posts

December 20th, 2004 02:00

Latest hijack scan:

 

Logfile of HijackThis v1.99.0
Scan saved at 7:40:30 PM, on 12/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com/nwshp?hl=en&gl=
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103155708825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{770C9D96-8478-4F34-BE74-AC0BB656B934}: NameServer = 209.165.131.12 209.165.131.13
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

 

Midnight Star

4.8K Posts

December 20th, 2004 02:00

Jeff,
 
Try getting the full path from Norton's and entering them in "Delete a file on reboot"; see if that can 'clean' them off.
 
You might also try running everything from "Safe Mode".
 
Mike.
 

Midnight Star

4.8K Posts

December 20th, 2004 02:00

Jeff,
 
Good work! That's cleaned up alot!
 
 
Have HiJackThis fix this line in " Safe Mode":
 
HKLM\..\Run: [dX28ÏÔ@ÔÁß]­ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\bsikgj.exe
 
 
Did you try running AdAware SE Personal and Spybot S&D from " Safe Mode"? You should be able to delete those file(s) from there also, including the one located in the 'prefetch' folder. If not, post back and we'll try using HiJackThis or Killbox to delete those on reboot.
 
Mike.
 

Message Edited by Midnight Star on 12-19-2004 10:07 PM

Midnight Star

4.8K Posts

December 20th, 2004 03:00

Jeff,
 
Cool! Will do!
 
I bet you guys never have to worry about getting a white Christmas ... :smileyvery-happy:
 
It should be, but be sure to backup your entire registry before you begin. Just in case something goes wrong. Symantec has a good tutorial for to do that.
 
Good luck and Merry Christmas!,
 
Mike.

nsfirechap

31 Posts

December 20th, 2004 03:00

Mike,
 
 is it safe to delete them from the registry? Am assuming this will "fix" the problems - thank you sooooooo much for the help. Hey if you are ever up my way - North pole, Alaska - drop on by.
 
 
Jeff

Midnight Star

4.8K Posts

December 20th, 2004 03:00

Jeff,
 
That log looks fine.
 
Here are some of the file(s) I was referring to:
 
  • Bullseye Network\bin\adv.exe
  • Bullseye network\bin\adx.exe
  • Bullseye Network/bin\bargains.exe
  • bb[1].exe
  • windows/system32/exd/exul
  • javexulm
  • mwexdlm.srg
  • msde.dll
  • sidefind 13[2].dll

If your viewing system and hidden files and folders and you can't locate them on your harddrive, maybe they only exist in the registry as a 'reference', and not actually on your harddrive.

Mike.

 

nsfirechap

31 Posts

December 28th, 2004 02:00

I think I did it again and wish I knew hoe - I am using the microsoft firewall and ran adaware and spybot and got all kinds of maleware found in adaware but it keeps coming back and my browser got hijacked again to about blank now I am getting all kinds of windows error messages about corrupted files. heres the hijack tihs file - thanks in advance for your help-I am truly indebted - I am going to try the repairs from the previous suggestions in the interim.
 
Jeff
 
 Logfile of HijackThis v1.99.0
Scan saved at 7:43:54 PM, on 12/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\crwc32.exe
C:\DOCUME~1\Jeff\LOCALS~1\Temp\89.tmp
C:\WINDOWS\System32\wscript.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1A2FCB78-BCDE-411A-2F9F-AE7FEB55F327} - C:\WINDOWS\sysxr.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [javaqi.exe] C:\WINDOWS\system32\javaqi.exe
O4 - HKLM\..\Run: [89.tmp] C:\DOCUME~1\Jeff\LOCALS~1\Temp\89.tmp.exe 0 10001
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103155708825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\crwc32.exe
 

nsfirechap

31 Posts

December 28th, 2004 04:00

followed some instructions from another site and this is my updated hijack this log - adaware still keeps coming up with entries referin to Rads01.Quadrogram.

Jeff

 

Logfile of HijackThis v1.99.0
Scan saved at 8:57:31 PM, on 12/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\autorun.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lqriv.dll/sp.html#14044
O2 - BHO: (no name) - {24C595AC-D914-BDA8-E0FE-1EC427E42B62} - C:\WINDOWS\system32\ipeq.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [javaqi.exe] C:\WINDOWS\system32\javaqi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103155708825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\crwc32.exe

 

  

nsfirechap

31 Posts

December 28th, 2004 04:00

followed some instructions from another site and this is my updated hijack this log - adaware still keeps coming up with entries referin to Rads01.Quadrogram.

Jeff

 

Logfile of HijackThis v1.99.0
Scan saved at 8:57:31 PM, on 12/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
D:\autorun.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lqriv.dll/sp.html#14044
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lqriv.dll/sp.html#14044
O2 - BHO: (no name) - {24C595AC-D914-BDA8-E0FE-1EC427E42B62} - C:\WINDOWS\system32\ipeq.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [javaqi.exe] C:\WINDOWS\system32\javaqi.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1103155708825
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\crwc32.exe

 

  

View More

View All

No Events found!

Top