Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

John_Doe

313 Posts

845

June 10th, 2005 22:00

Hijackthis Log Help!

Got a new comp with lots of problems:
 
Logfile of HijackThis v1.99.1
Scan saved at 11:58:00 AM, on 6/11/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\CounterSpy.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [wmplayer] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [nnyjgy] C:\WINNT\System32\nnyjgy.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 

Message Edited by John_Doe on 06-11-2005 12:17 PM

zbestwun2001

4 Apprentice

 • 

8.8K Posts

June 11th, 2005 16:00

Hey John

You alone keep me pretty busy. :)

I don't see much happening on the log . Just one trojan.

What is going on with this system?


Run HiJackThis and click " Scan", then check(tick) the following, if present:


O4 - HKLM\..\Run: [nnyjgy] C:\WINNT\System32\nnyjgy.exe


Now, with all windows closed except HiJackThis, click " Fix checked".


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINNT\System32\nnyjgy.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".


Post back a new log, and let me know how everything goes.
Steve

John_Doe

313 Posts

June 12th, 2005 04:00

Hey steve,

Sorry, i just have a lot of friends with spyware/virus's. I appreciate all of your help. I believed I deleted the trojan. But the laptop is still really slow to load up and also when in use. I went to msconfig and left only mandatory programs on there. Any ideas why the system is so slow all of a sudden?

Here is another log...
 
Thanks!
 
Logfile of HijackThis v1.99.1
Scan saved at 12:59:55 AM, on 6/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\msconfig.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [nnyjgy] C:\WINNT\System32\nnyjgy.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 

Message Edited by John_Doe on 06-12-2005 12:00 PM

zbestwun2001

4 Apprentice

 • 

8.8K Posts

June 12th, 2005 12:00

Let's continue on with the fix...

-
Let's do this in SAFE MODE


Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.


Run HiJackThis and click " Scan", then check(tick) the following, if present:


O4 - HKLM\..\Run: [nnyjgy] C:\WINNT\System32\nnyjgy.exe


Now, with all windows closed except HiJackThis, click " Fix checked".


Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

files...

C:\WINNT\System32\nnyjgy.exe

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".


Post back a new log, and let me know how everything goes.
Steve

Message Edited by zbestwun2001 on 06-12-2005 06:59 AM

John_Doe

313 Posts

June 12th, 2005 14:00

Ok I went into SAFE mode and I think it was finally deleted. But the laptop is still acting really SLOW, when starting up and also when in use. I ran a Counterspy, Spybot, and Adaware scan no results. I also ran a virus scan with NAV 2005 but it found nothing. Any ideas or recommendations? I also ran registry mechanic.
 
 
Logfile of HijackThis v1.99.1
Scan saved at 11:50:55 AM, on 6/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\msconfig.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Message Edited by John_Doe on 06-12-2005 12:05 PM

zbestwun2001

4 Apprentice

 • 

8.8K Posts

June 12th, 2005 15:00

John
I am running out of tricks in my bag.

Let's try this, there maybe something running that doesn't show up in the log.

Download and run Silent Runners .
Then post the log.

Steve

zbestwun2001

4 Apprentice

 • 

8.8K Posts

June 12th, 2005 15:00

John,

Well it's gone, this log is now clean of malware.

Untill we meet again with a new log take care.

Steve

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

  2. Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  3. You can find instructions on how to enable and re enable system restore here:
    Managing Windows Millennium System Restore
    or
    Windows XP System Restore Guide
    re-enable system restore with instructions from tutorial above

  4. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.

      2. Change the Download signed ActiveX controls to Prompt
      3. Change the Download unsigned ActiveX controls to Disable
      4. Change the Initialise and script ActiveX controls not marked as safe to Disable
      5. Change the Installation of desktop items to Prompt
      6. Change the Launching programs and files in an IFRAME to Prompt
      7. Change the Navigate sub-frames across different domains to Prompt
      8. When all these settings have been made, click on the OK button.
      9. If it prompts you as to whether or not you want to save the settings, press the Yes button.
      10. Next press the Apply button and then the OK to exit the Internet Properties page.
      11. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
      12. Computer Safety On line - Anti-Virus

      13. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

      15. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
      16. Computer Safety On line - Software Firewalls

      17. Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

      19. Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
      20. This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
        Instructions for - Spybot S & D and Ad-aware

      21. Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
      22. Instructions for - Spybot S & D and Ad-aware

      23. Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
      24. Computer Safety on line - Anti-Malware

      25. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
      26. Follow this list and your potential for being infected again will reduce dramatically.

    John_Doe

    313 Posts

    June 12th, 2005 15:00

    I edited my last post.

    John_Doe

    313 Posts

    June 12th, 2005 17:00

    I also forgot to mention Windows Media Player 9 seems to always open when I restart the laptop. I'm sure this is contributing to the slow startup. Any idea why? I have Windows 2000.
     
    Silent Runners Log:
     
    "Silent Runners.vbs", revision 37, http://www.silentrunners.org/
    Operating System: Windows 2000
    Output limited to non-default values, except where indicated by "{++}"

    Startup items buried in registry:
    ---------------------------------
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
    "wmplayer" = "C:\Program Files\Windows Media Player\wmplayer.exe" [MS]
    "nnyjgy" = "C:\WINNT\System32\nnyjgy.exe" [file not found]
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
    "ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
    "SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
    "Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
    "Zone Labs Client" = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" ["Zone Labs, LLC"]
    "Synchronization Manager" = "mobsync.exe /logon" [MS]
    "MSConfig" = "C:\WINNT\system32\msconfig.exe /auto" [MS]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx" [empty string]
    {53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
    {BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    "{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
      -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
    "{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
    "{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
    "{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
      -> {CLSID}\InProcServer32\(Default) = "blank" [file not found]
    "{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    "{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
      -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
    "" = ** INVALID DATA (not CLSID) **

    Enabled Active Desktop and Wallpaper:
    -------------------------------------
    Active Desktop is enabled at this entry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

    Enabled Scheduled Tasks:
    ------------------------
    "Norton AntiVirus - Scan my computer - Administrator" -> launches: "C:\PROGRA~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
    "Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]

    Winsock2 Service Provider DLLs:
    -------------------------------
    Namespace Service Providers
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
    000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
    000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
    Transport Service Providers
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
    0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
    %SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 16
    %SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

    Toolbars, Explorer Bars, Extensions:
    ------------------------------------
    Toolbars
    HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
      -> {CLSID}\(Default) = "Norton AntiVirus"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
    HKLM\Software\Microsoft\Internet Explorer\Toolbar\
    "{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
      -> {CLSID}\(Default) = "Norton AntiVirus"
      -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
    Explorer Bars
    HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
    {FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
      -> {CLSID}\(Default) = "Real.com"
      -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS]
    Extensions (Tools menu items, main toolbar menu buttons)
    HKLM\Software\Microsoft\Internet Explorer\Extensions\
    {AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
    "ButtonText" = "AIM"
    "Exec" = "C:\PROGRA~1\AIM\aim.exe" ["America Online, Inc."]
    {CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
    "ButtonText" = "Real.com"

    Running Services (Display Name, Service Name, Path {Service DLL}):
    ------------------------------------------------------------------
    Diskeeper, Diskeeper, ""C:\Program Files\Executive Software\Diskeeper\DkService.exe"" ["Executive Software International, Inc."]
    Norton AntiVirus Auto-Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
    Norton AntiVirus Firewall Monitor Service, NPFMntor, "C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe" ["Symantec Corporation"]
    Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
    Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
    Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
    Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
    Symantec SPBBCSvc, SPBBCSvc, "C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" ["Symantec Corporation"]
    TrueVector Internet Monitor, vsmon, "C:\WINNT\system32\ZoneLabs\vsmon.exe -service" ["Zone Labs, LLC"]
    WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINNT\wanmpsvc.exe"" ["America Online, Inc."]

    ----------
    This report excludes default entries except where indicated.
    To see *everywhere* the script checks and *everything* it finds,
    launch it from a command prompt or a shortcut with the -all parameter.
    ----------

    zbestwun2001

    4 Apprentice

     • 

    8.8K Posts

    June 12th, 2005 18:00

    Silent Runners looks OK.........

    There are issues with WMP. I don't know what they stem from, and I haven't experienced them on this system.

    I am researching this WMP issue but don't think that it will prove to be the cure of your problems.

    Steve

    John_Doe

    313 Posts

    June 12th, 2005 19:00

    I went back to the old Windows Media Player since it's not used much. This seemed to have fixed the problem with WMP 9.

    But I am still getting horrible startup times, compared to before. And it still seems to run a bit sluggish, like if other programs are running in the background.

    zbestwun2001

    4 Apprentice

     • 

    8.8K Posts

    June 12th, 2005 20:00

    Ok let's run MWAV and post the log it generates.

    Steve

    John_Doe

    313 Posts

    June 13th, 2005 12:00

    My MWAV log is too big how do I post it?

    zbestwun2001

    4 Apprentice

     • 

    8.8K Posts

    June 13th, 2005 13:00

    Look at the results of the log.
    If there are any files that are infected put them here for me to view.

    Steve

    John_Doe

    313 Posts

    June 13th, 2005 15:00

    Mon Jun 13 00:21:17 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A3573B4 tagged as "not-a-virus:AdWare.BargainBuddy.q". Action Taken: No Action Taken.

    Mon Jun 13 00:21:17 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A4C199B
    Mon Jun 13 00:21:18 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A4C199B tagged as "not-a-virus:AdWare.BetterInternet.d". Action Taken: No Action Taken.

    Mon Jun 13 00:21:18 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A536D94
    Mon Jun 13 00:21:18 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A536D94 tagged as "not-a-virus:AdWare.BargainBuddy.q". Action Taken: No Action Taken.

    Mon Jun 13 00:21:18 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A561790
    Mon Jun 13 00:21:18 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A561790 tagged as "not-a-virus:AdWare.BargainBuddy.q". Action Taken: No Action Taken.

    Mon Jun 13 00:21:18 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A59418D
    Mon Jun 13 00:21:19 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A59418D tagged as "not-a-virus:AdWare.BetterInternet.d". Action Taken: No Action Taken.

    Mon Jun 13 00:21:19 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A6A137B
    Mon Jun 13 00:21:19 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A6A137B tagged as "not-a-virus:AdWare.BargainBuddy.q". Action Taken: No Action Taken.

    Mon Jun 13 00:21:19 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A6D3D77
    Mon Jun 13 00:21:19 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A6D3D77 tagged as "not-a-virus:AdWare.BargainBuddy.q". Action Taken: No Action Taken.

    Mon Jun 13 00:21:19 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A731170
    Mon Jun 13 00:21:19 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A731170 infected by "Trojan-Dropper.Win32.Delf.ev" Virus! Action Taken: No Action Taken.

    Mon Jun 13 00:21:19 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A7A6569
    Mon Jun 13 00:21:20 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A7A6569 tagged as "not-a-virus:AdWare.BargainBuddy.n". Action Taken: No Action Taken.

    Mon Jun 13 00:21:20 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A7D0F65
    Mon Jun 13 00:21:20 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A7D0F65 tagged as "not-a-virus:AdWare.BargainBuddy.n". Action Taken: No Action Taken.

    Mon Jun 13 00:21:20 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A803962
    Mon Jun 13 00:21:20 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A803962 tagged as "not-a-virus:AdWare.BargainBuddy.n". Action Taken: No Action Taken.

    Mon Jun 13 00:21:20 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A870D5A
    Mon Jun 13 00:21:20 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A870D5A tagged as "not-a-virus:AdWare.BargainBuddy.w". Action Taken: No Action Taken.

    Mon Jun 13 00:21:20 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A8A3757
    Mon Jun 13 00:21:21 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A8A3757 tagged as "not-a-virus:AdWare.BargainBuddy.n". Action Taken: No Action Taken.

    Mon Jun 13 00:21:21 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A8E6153
    Mon Jun 13 00:21:21 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A8E6153 tagged as "not-a-virus:AdWare.BargainBuddy.q". Action Taken: No Action Taken.

    Mon Jun 13 00:21:21 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A94354C
    Mon Jun 13 00:21:21 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A94354C tagged as "not-a-virus:AdWare.BargainBuddy.q". Action Taken: No Action Taken.

    Mon Jun 13 00:21:21 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A975F48
    Mon Jun 13 00:21:21 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A975F48 tagged as "not-a-virus:AdWare.BargainBuddy.n". Action Taken: No Action Taken.

    Mon Jun 13 00:21:21 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\4A9B0945.exe
    Mon Jun 13 00:21:21 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\4A9B0945.exe infected by "Trojan-Downloader.Win32.Adload.a" Virus! Action Taken: No Action Taken.

    Mon Jun 13 00:21:22 2005 => Scanning File C:\Program Files\Norton AntiVirus\Quarantine\578634C5.tmp
    Mon Jun 13 00:21:22 2005 => File C:\Program Files\Norton AntiVirus\Quarantine\578634C5.tmp infected by "Trojan-Dropper.Win32.Small.ls" Virus! Action Taken: No Action Taken.

     

    Mon Jun 13 01:00:19 2005 => File C:\WINNT\system32\csxfeq.exe infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.

    Mon Jun 13 01:00:19 2005 => Scanning File C:\WINNT\system32\csxfeqndw30103lib.dll
    Mon Jun 13 01:00:19 2005 => File C:\WINNT\system32\csxfeqndw30103lib.dll infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.

    Mon Jun 13 01:06:30 2005 => File C:\WINNT\system32\hwg.exe infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.

    Mon Jun 13 01:06:30 2005 => Scanning File C:\WINNT\system32\hwgndw30104lib.dll
    Mon Jun 13 01:06:30 2005 => File C:\WINNT\system32\hwgndw30104lib.dll infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.

    Mon Jun 13 01:10:33 2005 => File C:\WINNT\system32\WinStat11.dll tagged as "not-a-virus:AdWare.Winsta.a". Action Taken: No Action Taken.

    Mon Jun 13 01:10:33 2005 => Scanning File C:\WINNT\system32\WinStat12.dat
    Mon Jun 13 01:10:33 2005 => Scanning File C:\WINNT\system32\WinStat12.dll
    Mon Jun 13 01:10:33 2005 => File C:\WINNT\system32\WinStat12.dll tagged as "not-a-virus:AdWare.Winsta.a". Action Taken: No Action Taken.

     

    Mon Jun 13 01:10:38 2005 => File C:\WINNT\system32\wmplayerndw30103lib.dll infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.

    Mon Jun 13 01:11:46 2005 => ***** Checking for specific ITW Viruses *****
    Mon Jun 13 01:11:46 2005 => Checking for Welchia Virus...
    Mon Jun 13 01:11:47 2005 => Checking for LovGate Virus...
    Mon Jun 13 01:11:47 2005 => Checking for CodeRed Virus...
    Mon Jun 13 01:11:47 2005 => Checking for OpaServ Virus...
    Mon Jun 13 01:11:47 2005 => Checking for Sobig.e Virus...
    Mon Jun 13 01:11:47 2005 => Checking for Winupie Virus...
    Mon Jun 13 01:11:47 2005 => Checking for Swen Virus...
    Mon Jun 13 01:11:47 2005 => Checking for JS.Fortnight Virus...
    Mon Jun 13 01:11:47 2005 => Checking for Novarg Virus...
    Mon Jun 13 01:11:47 2005 => Checking for Pagabot Virus...
    Mon Jun 13 01:11:47 2005 => Checking for Parite.b Virus...
    Mon Jun 13 01:11:47 2005 => Checking for Parite.a Virus...
    Mon Jun 13 01:11:47 2005 => Checking for Adware.SeekSeek Virus...

    Mon Jun 13 01:11:47 2005 => ***** Scanning complete. *****

    Mon Jun 13 01:11:47 2005 => Total Objects Scanned: 31213
    Mon Jun 13 01:11:47 2005 => Total Virus(es) Found: 36
    Mon Jun 13 01:11:47 2005 => Total Disinfected Files: 0
    Mon Jun 13 01:11:47 2005 => Total Files Renamed: 0
    Mon Jun 13 01:11:47 2005 => Total Deleted Objects: 0
    Mon Jun 13 01:11:47 2005 => Total Errors: 40
    Mon Jun 13 01:11:47 2005 => Time Elapsed: 01:46:36
    Mon Jun 13 01:11:47 2005 => Virus Database Date: 2005/06/09
    Mon Jun 13 01:11:47 2005 => Virus Database Count: 134027

    Mon Jun 13 01:11:47 2005 => Scan Completed.

    John_Doe

    313 Posts

    June 13th, 2005 15:00

    Hopefully  I didn't miss anything. Would it be better to email you the full results? I'm not sure if I set the options to scan correctly. But this is what I got from the scan:                                                                                                                                                                                                                                                             
    Sun Jun 12 23:21:09 2005 => **********************************************************
    Sun Jun 12 23:21:09 2005 => MicroWorld AntiVirus & Spyware Toolkit Utility.
    Sun Jun 12 23:21:09 2005 => Copyright © 2003-2005,  MicroWorld Technologies Inc.
    Sun Jun 12 23:21:09 2005 => **********************************************************
    Sun Jun 12 23:21:09 2005 => Version 6.4.1 (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mwavscan.com)
    Sun Jun 12 23:21:09 2005 => Log File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MWAV.LOG
    Sun Jun 12 23:21:09 2005 => MWAV Registered: FALSE.
    Sun Jun 12 23:21:09 2005 => MWAV Mode: Only Scan files.
    Sun Jun 12 23:21:09 2005 => Latest Date of files inside MWAV: 09 Jun 2005  07:04:52.
    Sun Jun 12 23:21:21 2005 => AV Library Loaded...
    Sun Jun 12 23:21:22 2005 => MWAV doing self scanning...
    Sun Jun 12 23:21:22 2005 => Scanning File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kavss.exe
    Sun Jun 12 23:21:22 2005 => Scanning File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Getvlist.exe
    Sun Jun 12 23:21:24 2005 => Scanning File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kavss.dll
    Sun Jun 12 23:21:24 2005 => Scanning File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kavssdi.dll
    Sun Jun 12 23:21:24 2005 => Scanning File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kavssi.dll
    Sun Jun 12 23:21:24 2005 => Scanning File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kavvlg.dll
    Sun Jun 12 23:21:25 2005 => Scanning File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\msvlclnt.dll
    Sun Jun 12 23:21:25 2005 => Scanning File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ipc.dll
    Sun Jun 12 23:21:25 2005 => Scanning File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\main.avi
    Sun Jun 12 23:21:25 2005 => Scanning File C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\virus.avi
    Sun Jun 12 23:21:25 2005 => MWAV files are clean.
    Sun Jun 12 23:21:34 2005 => Virus Database Date: 2005/06/09
    Sun Jun 12 23:21:34 2005 => Virus Database Count: 134027
    Sun Jun 12 23:24:10 2005 => Generating Virus List... getvlist.exe C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vlist.txt

    Sun Jun 12 23:24:48 2005 => **********************************************************
    Sun Jun 12 23:24:48 2005 => MicroWorld AntiVirus & Spyware Toolkit Utility.
    Sun Jun 12 23:24:49 2005 => Copyright © 2003-2005,  MicroWorld Technologies Inc.
    Sun Jun 12 23:24:49 2005 =>
    Sun Jun 12 23:24:49 2005 => Support: support@mwti.net
    Sun Jun 12 23:24:49 2005 => Web: http://www.mwti.net
    Sun Jun 12 23:24:49 2005 => **********************************************************
    Sun Jun 12 23:24:49 2005 => Version 6.4.1 (C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mwavscan.com)
    Sun Jun 12 23:24:49 2005 => Log File: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\MWAV.LOG
    Sun Jun 12 23:24:49 2005 => User Account: Administrator
    Sun Jun 12 23:24:49 2005 => Windows Root  Folder: C:\WINNT
    Sun Jun 12 23:24:49 2005 => Windows Sys32 Folder: C:\WINNT\system32
    Sun Jun 12 23:24:49 2005 => OS: Windows NT
    Sun Jun 12 23:24:49 2005 => Latest Date of files inside MWAV: 09 Jun 2005  07:04:52.

    Sun Jun 12 23:24:49 2005 => Options Selected by User:
    Sun Jun 12 23:24:49 2005 => Memory Check: Enabled
    Sun Jun 12 23:24:49 2005 => Registry Check: Enabled
    Sun Jun 12 23:24:49 2005 => StartUp Folder Check: Enabled
    Sun Jun 12 23:24:49 2005 => System Folder Check: Enabled
    Sun Jun 12 23:24:49 2005 => System Area Check: Disabled
    Sun Jun 12 23:24:49 2005 => Services Check: Enabled
    Sun Jun 12 23:24:49 2005 => Drive Check: Disabled
    Sun Jun 12 23:24:49 2005 => All Drive Check :Enabled
    Sun Jun 12 23:24:49 2005 => Folder Check: Disabled

     

    Sun Jun 12 23:26:19 2005 => ERROR!!! Invalid Entry {F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4} = blank (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved). No Action Taken.

    Sun Jun 12 23:27:45 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
    Sun Jun 12 23:28:01 2005 => System found infected with Alexa Spyware/Adware ({c95fe080-8f5d-11d2-a20b-00aa003c157a})! Action taken: No Action Taken.
    Sun Jun 12 23:28:01 2005 => Object "Alexa Spyware/Adware" found in File System! Action Taken: No Action Taken.

    Sun Jun 12 23:28:11 2005 => Offending value found in HKLM\Software\microsoft\downloadmanager !!!
    Sun Jun 12 23:28:11 2005 => Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

    Sun Jun 12 23:28:14 2005 => Offending value found in HKLM\Software\vendor !!!
    Sun Jun 12 23:28:14 2005 => Object "Kazaa Spyware/Adware" found in File System! Action Taken: No Action Taken.

    Sun Jun 12 23:28:41 2005 => System found infected with CWS.therealsearch Spyware/Adware (waol.exe)! Action taken: No Action Taken.
    Sun Jun 12 23:28:41 2005 => Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

    Sun Jun 12 23:28:43 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
    Sun Jun 12 23:28:49 2005 => Entry "HKCR\CLSID\{00CEDC01-864D-11D3-908D-00C0F03B3EDC}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:28:50 2005 => Entry "HKCR\CLSID\{0272c6e8-83e5-43d2-92f4-a374385bdac4}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:28:56 2005 => Entry "HKCR\CLSID\{339bccb5-3ab4-4495-94ed-29102f59894c}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:28:57 2005 => Entry "HKCR\CLSID\{405DE7C0-E7DD-11D2-92C5-00C0F01F77C1}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:28:57 2005 => Entry "HKCR\CLSID\{43918f8f-f3be-4760-b4bb-6c89d9d91487}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:28:57 2005 => Entry "HKCR\CLSID\{44b09a5f-5dee-4539-8001-d4b2d45c2876}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:28:57 2005 => Entry "HKCR\CLSID\{4C171D40-8277-11D5-AD55-00010333D0AD}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:28:58 2005 => Entry "HKCR\CLSID\{4D50EBC1-F054-4110-8D92-700E630361A6}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:02 2005 => Entry "HKCR\CLSID\{96632d1e-f3eb-4f54-ba79-9969692db659}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:02 2005 => Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.

    Sun Jun 12 23:29:03 2005 => Entry "HKCR\CLSID\{A06B0DBC-8272-4D72-A366-B8090BBE1871}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:03 2005 => Entry "HKCR\CLSID\{A4845882-333F-11D0-B724-00AA0062CBB7}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:03 2005 => Entry "HKCR\CLSID\{AF1A9404-6CA9-11D3-B053-00C04F4C0826}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:04 2005 => Entry "HKCR\CLSID\{BBF37B9E-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:04 2005 => Entry "HKCR\CLSID\{BBF37BA0-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:04 2005 => Entry "HKCR\CLSID\{BBF37BA2-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:04 2005 => Entry "HKCR\CLSID\{BBF37BA4-2F4F-11D3-B02F-00C04F4C0826}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:05 2005 => Entry "HKCR\CLSID\{C5838ED9-78F2-4c47-8B6B-2ACF9FA16F44}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:06 2005 => Entry "HKCR\CLSID\{CEF4D40F-ACA5-40BA-8F3B-161A594A1A39}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:06 2005 => Entry "HKCR\CLSID\{D24C7F41-2F44-11D3-92EF-00C0F01F77C1}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:06 2005 => Entry "HKCR\CLSID\{d4387178-98ca-4929-b8e3-a11cd2f333a6}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:07 2005 => Entry "HKCR\CLSID\{E07D3492-32B5-11D0-B724-00AA0062CBB7}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:08 2005 => Entry "HKCR\CLSID\{EEC6993A-B3FD-11D2-A916-00C04FB98638}" refers to invalid object "pid.dll". Action Taken: No Action Taken.

    Sun Jun 12 23:29:08 2005 => Entry "HKCR\CLSID\{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:09 2005 => Entry "HKCR\CLSID\{fba38bcf-e23d-4979-811e-1326bbadb8c8}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:09 2005 => Entry "HKCR\CLSID\{FDC7A535-4070-4B92-A0EA-D9994BCC0DC5}" refers to invalid object "blank". Action Taken: No Action Taken.

    Sun Jun 12 23:29:11 2005 => Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.

    Sun Jun 12 23:29:19 2005 => Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.

    Sun Jun 12 23:29:19 2005 => Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

    Sun Jun 12 23:29:19 2005 => Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.

     

    Sun Jun 12 23:30:35 2005 => File C:\WINNT\system32\csxfeq.exe infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.

    Sun Jun 12 23:30:35 2005 => Scanning File C:\WINNT\system32\csxfeqndw30103lib.dll
    Sun Jun 12 23:30:35 2005 => File C:\WINNT\system32\csxfeqndw30103lib.dll infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.

    Sun Jun 12 23:32:01 2005 => File C:\WINNT\system32\hwg.exe infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.

    Sun Jun 12 23:32:01 2005 => Scanning File C:\WINNT\system32\hwgndw30104lib.dll
    Sun Jun 12 23:32:01 2005 => File C:\WINNT\system32\hwgndw30104lib.dll infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.

    Sun Jun 12 23:36:39 2005 => File C:\WINNT\system32\WinStat11.dll tagged as "not-a-virus:AdWare.Winsta.a". Action Taken: No Action Taken.

    Sun Jun 12 23:36:39 2005 => Scanning File C:\WINNT\system32\WinStat12.dat
    Sun Jun 12 23:36:39 2005 => Scanning File C:\WINNT\system32\WinStat12.dll
    Sun Jun 12 23:36:40 2005 => File C:\WINNT\system32\WinStat12.dll tagged as "not-a-virus:AdWare.Winsta.a". Action Taken: No Action Taken.

    Sun Jun 12 23:36:44 2005 => File C:\WINNT\system32\wmplayerndw30103lib.dll infected by "Trojan-Downloader.Win32.Lastad.h" Virus! Action Taken: No Action Taken.


    Sun Jun 12 23:46:02 2005 => Result: ERROR!!! File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip is Not Scanned
    Sun Jun 12 23:46:02 2005 => C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip not Scanned. Possibly password protected...
    Sun Jun 12 23:46:02 2005 => Scanning File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated1.zip
    Sun Jun 12 23:46:03 2005 => Result: ERROR!!! File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated1.zip is Not Scanned
    Sun Jun 12 23:46:03 2005 => C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated1.zip not Scanned. Possibly password protected...
    Sun Jun 12 23:46:03 2005 => Scanning File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy.zip
    Sun Jun 12 23:46:03 2005 => Result: ERROR!!! File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy.zip is Not Scanned
    Sun Jun 12 23:46:03 2005 => C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ExactAdvertisingBargainsBuddy.zip not Scanned. Possibly password protected...
    Sun Jun 12 23:46:03 2005 => Scanning File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip
    Sun Jun 12 23:46:03 2005 => Result: ERROR!!! File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip is Not Scanned
    Sun Jun 12 23:46:03 2005 => C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent.zip not Scanned. Possibly password protected...
    Sun Jun 12 23:46:03 2005 => Scanning File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent1.zip
    Sun Jun 12 23:46:03 2005 => Result: ERROR!!! File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent1.zip is Not Scanned
    Sun Jun 12 23:46:03 2005 => C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent1.zip not Scanned. Possibly password protected...
    Sun Jun 12 23:46:03 2005 => Scanning File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip
    Sun Jun 12 23:46:03 2005 => Result: ERROR!!! File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip is Not Scanned
    Sun Jun 12 23:46:03 2005 => C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent2.zip not Scanned. Possibly password protected...
    Sun Jun 12 23:46:03 2005 => Scanning File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip
    Sun Jun 12 23:46:03 2005 => Result: ERROR!!! File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip is Not Scanned
    Sun Jun 12 23:46:03 2005 => C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent3.zip not Scanned. Possibly password protected...
    Sun Jun 12 23:46:03 2005 => Scanning File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip
    Sun Jun 12 23:46:04 2005 => Result: ERROR!!! File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip is Not Scanned
    Sun Jun 12 23:46:04 2005 => C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip not Scanned. Possibly password protected...

    Sun Jun 12 23:47:58 2005 => Result: ERROR!!! File C:\pagefile.sys: Scanning Failure!!!
    Sun Jun 12 23:47:58 2005 => ERROR!!! ScanFile fails for C:\pagefile.sys

    Was this post helpful?

    View All

    No Events found!

    Top