1. Double-click the
mwav.exe icon to run it (
it'll self extract).
2. Click "
Scan".
3. When it completes, post back the results from the 'Virus log information' pane.
I tried to send you the Micro World log but the log file is too huge (maybe I didn't scan properly). Do I have to click extra boxes in the MWAV interface?
To facilitate the process, I tried Trend Micro and Ewido and downloaded the latest version of HJT. Here is the HJT log for your reference.
Logfile of HijackThis v1.99.1
Scan saved at 上午 12:33:49, on 2005/7/6
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
I need to see the log from the Ewido and MWAV scan. If you need to break it up into multiple posts, go ahead. With the MWAV scan, be sure to post back only those items in the "Virus Information" pane.
Most of those items can be removed by cleaning out norton's quarantine and running "Cleanup!" by Steven Gould; which we'll do as a final cleanup, but for now, let's do this:
Run
HiJackThis then:
1. Click "
Config..."
2. Click "
Misc Tools"
3. Click "
Open Process manager"
-
Next, while holding down the
CTRL key, locate (
if present) and click on (
highlight) each of the following:
C:\WINNT\system32\internat.exe
Now double-check and make sure that only those item(s) above are highlighted, then click "
Kill process". Now, click "
Refresh", check again, and repeat this step if any remain.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
Many thanks. Here is the HJT log and the Silent Runner Log:
Logfile of HijackThis v1.99.1
Scan saved at 上午 12:58:37, on 2005/7/8
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
"Silent Runners.vbs", revision 39,
http://www.silentrunners.org/ Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 60 seconds, including 19 seconds for message boxes)
Ok, I don't see anything in the log; let's remove these two entries that I missed in the previous post, and see if that fixes the problem. Are you still having a pop-up problem?
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
Now, with all windows closed except
HiJackThis, click "
Fix checked".
Locate and
delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
Search for...
msnmsgr.exe
...using "
Start | Search...".
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
If you have MSN Messenger installed, uninstall it before searching for the above file (msnmsgr.exe), then re-install it when your system is clean.
The pop-ups hit me again. I did the Spybot scan and it showed that they are CallingHome.biz and Elitum.EliteBar. I am not sure whether it is helpful but here is the Ad Aware scan.
Ad-Aware SE Build 1.05
Logfile Created on:2005年7月12日 下午 09:44:51
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R52 30.06.2005
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
References detected during the scan:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
Ebates MoneyMaker(TAC index:4):1 total references
Elitum.ElitebarBHO(TAC index:5):10 total references
MRU List(TAC index:0):29 total references
Possible Browser Hijack attempt(TAC index:3):4 total references
Tracking Cookie(TAC index:3):2 total references
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
2005-7-12 下午 09:44:51 - Scan started. (Full System Scan)
MRU List Object Recognized!
Location: : C:\Documents and Settings\jasper\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
MRU List Object Recognized!
Location: : C:\Documents and Settings\jasper\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}
Value :
Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}
Value :
Elitum.ElitebarBHO Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{28caeff3-0f18-4036-b504-51d73bd81abc}
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{28caeff3-0f18-4036-b504-51d73bd81abc}
Value :
Ebates MoneyMaker Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\lq
Value : AC
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\toolbar\webbrowser
Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF}
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
Rootkey : HKEY_USERS
Object : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer\toolbar\webbrowser
Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF}
Elitum.ElitebarBHO Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\toolbar
Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF}
Registry Scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 10
Objects found so far: 39
Started deep registry scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Pagesearchmiracle.com
Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "
http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "
http://searchmiracle.com/sp.php"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Barsearchmiracle.com
Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "
http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "
http://searchmiracle.com/sp.php"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\SearchSearchAssistantsearchmiracle.com
Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "
http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "
http://searchmiracle.com/sp.php"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet ExplorerSearchURLsearchmiracle.com
Possible Browser Hijack attempt Object Recognized!
Type : RegData
Data : "
http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer
Value : SearchURL
Data : "
http://searchmiracle.com/sp.php"
Deep registry scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 4
Objects found so far: 43
Started Tracking Cookie scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Tracking Cookie Object Recognized!
Type : IECache Entry
Data :
jasper@centrport[1].txt Category : Data Miner
Comment : Hits:1
Value : Cookie:jasper@centrport.net/
Expires : 2030-1-1 上午 08:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1
Tracking cookie scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 1
Objects found so far: 44
Deep scanning and examining files (C:)
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Tracking Cookie Object Recognized!
Type : IECache Entry
Data :
jasper@centrport[1].txt Category : Data Miner
Comment :
Value : C:\Documents And Settings\jasper\Cookies\jasper@centrport[1].txt
Conditional scan result:
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 46
下午 09:53:44 Scan Complete
Summary Of This Scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Total scanning time:00:08:53.257
Objects scanned:71832
Objects identified:17
Objects ignored:0
New critical objects:17
I can see! I think we had this very same problem last year with AboutBlank on your system ... :( Post back a new HiJackThis log and let's see what we have (should be the same as before, if i'm reading the AdAware log correctly).
I might not be able to spend much more time on this, since i'm currently working another problem that's requiring quite a bit of research - i'll take a few more looks, and if it seems like a rampant dll (hidden and causing problems), i'll see if I can turn this thread over to someone who can dedicate more time to helping you locate and remove it.
Thanks for all your helps. Here is the latest HJT log.
Logfile of HijackThis v1.99.1 Scan saved at 下午 10:59:32, on 2005/7/12 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Sorry for taking so long to get back with you, but i've been really tied up, and will be for the next few days or so. Let me get you off where someone can help you with this cleanup. Go here:
www.malwareremoval.com
Register, and post you log in the HiJackThis forum. Someone will be there shortly after the post to help you. Be sure to add a link in the initial post to the thread here at Dell so they can get a quick idea of what we've tried to do.
Midnight Star
4.8K Posts
0
July 3rd, 2005 16:00
I see more than one that i'm almost certain are going to be bad - let's get another set of "eyes" on them and see what we have...
Download mwav.exe from MicroWorld, then:
1. Double-click the mwav.exe icon to run it ( it'll self extract).
2. Click " Scan".
3. When it completes, post back the results from the 'Virus log information' pane.
Mike.
water5
47 Posts
0
July 5th, 2005 16:00
Scan saved at 上午 12:33:49, on 2005/7/6
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\WINNT\system32\wuauclt.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents And Settings\jasper\Local Settings\Temp\HijackThis.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoftf DDEs Control] wees.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\Run: [Microsoftz turn Control] read.pif
O4 - HKLM\..\Run: [Microsoftm EEGS Cuntrol] loor.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] wees.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftz turn Control] read.pif
O4 - HKLM\..\RunServices: [Microsoftm EEGS Cuntrol] loor.pif
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/MediaAccessVerisign/ie/bridge-c420.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\rapapp.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Midnight Star
4.8K Posts
0
July 5th, 2005 17:00
I need to see the log from the Ewido and MWAV scan. If you need to break it up into multiple posts, go ahead. With the MWAV scan, be sure to post back only those items in the "Virus Information" pane.
==========
Mike.
water5
47 Posts
0
July 6th, 2005 15:00
Here is MWAV log:
Object "180Solutions Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "SearchEXE Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINNT\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINNT\Downloaded Program Files\RdxIE.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}" refers to invalid object "C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{14E70437-124E-437A-A1EB-D186E2A75257}" refers to invalid object "C:\WINNT\system32\hmg.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}" refers to invalid object "C:\Program Files\Viewpoint\Viewpoint Media Player\AxMetaStream.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{21B4ACC4-8874-4AEC-AEAC-F567A249B4D4}" refers to invalid object "c:\program files\180searchassistant\salmhook.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{2616E240-B5B6-4109-9DE7-9D5F9AB3997E}" refers to invalid object "C:\WINNT\system32\oamgea.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{32BA5D04-B1EA-42DF-81D4-F8A6BE6DCF56}" refers to invalid object "C:\WINNT\system32\omlac.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" refers to invalid object "C:\Program Files\Norton AntiVirus\NavShExt.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{48FEB9F1-A94D-4DEF-BAA8-B8B6BBD74D0A}" refers to invalid object "C:\WINNT\system32\bbmmi.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{4E11074F-BAFE-4603-8353-410B92249973}" refers to invalid object "C:\WINNT\system32\ddjdfm.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}" refers to invalid object "C:\Program Files\Norton AntiVirus\NavShExt.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{56336BCA-3D8A-11d6-A00B-0050DA18DE71}" refers to invalid object "C:\DOCUME~1\jasper\LOCALS~1\Temp\InfoWindow.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5CF37022-A9EC-4473-8620-560427E8434E}" refers to invalid object "C:\WINNT\system32\oamgea.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{5F2CF5FC-BFFC-4B7B-BEB1-B5FD741A2504}" refers to invalid object "C:\WINNT\system32\oemcd.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{600AE747-84E3-42BC-A57E-C0F293E91695}" refers to invalid object "C:\WINNT\system32\eahdl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{60FF0D53-4F82-46C5-A551-E0D567829EA1}" refers to invalid object "C:\WINNT\system32\aconka.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{68DE96B3-B9E9-4314-BAEF-86EA52BBACD1}" refers to invalid object "C:\WINNT\system32\eahdl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{69BF9F85-98AE-4D9C-899C-F411900DA5FC}" refers to invalid object "C:\WINNT\system32\hmg.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{6A08B80C-4C6C-4152-962C-E91888F64239}" refers to invalid object "C:\WINNT\system32\gbie.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{790D6DD8-2FFB-4455-B927-DFDE33FB752E}" refers to invalid object "C:\WINNT\system32\cna.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{81FF058A-B85B-4B1D-ACD4-D19A3607BBF3}" refers to invalid object "C:\WINNT\system32\gbie.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{898DA1D5-F4B2-41CB-AEB9-C3F08552E21B}" refers to invalid object "C:\WINNT\system32\aconka.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8DD52FE5-6300-4BC3-BEF4-171A7DACFC48}" refers to invalid object "C:\WINNT\system32\cna.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A13D25BA-7653-463F-AD4E-37F5D50F97FF}" refers to invalid object "C:\WINNT\system32\eheam.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A41A3852-E52A-4B0C-A639-42BD8444CB88}" refers to invalid object "C:\WINNT\system32\eahdl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A43130FF-3BDE-47A4-BD53-682A9DA0D610}" refers to invalid object "C:\WINNT\system32\hmg.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A634E71E-5F90-44A2-AFFF-A492E848CD77}" refers to invalid object "C:\WINNT\system32\ldl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{AF63F43F-E050-44C1-8C70-3DAEEC42DFC1}" refers to invalid object "C:\WINNT\system32\cna.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B472F7C8-1B64-4A5A-8FA7-A5E7340B550D}" refers to invalid object "C:\WINNT\system32\ddjdfm.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B89066C8-485C-43E2-A003-1FAAB872144F}" refers to invalid object "C:\WINNT\system32\bbmmi.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C01CD24E-AFC1-4609-B8F3-6AF729CCE439}" refers to invalid object "C:\WINNT\system32\bbmmi.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C465046E-C30A-4D42-A138-8361596321CE}" refers to invalid object "C:\WINNT\system32\mmn.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C8ABB388-AF1F-41E7-B99D-10AACF35D377}" refers to invalid object "C:\WINNT\system32\bbmmi.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DC445634-E01D-4A0C-A291-8151460A9250}" refers to invalid object "C:\WINNT\system32\dofnjh.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{DDFADFBD-6E0C-467B-B34E-E7DAF85F46BA}" refers to invalid object "C:\WINNT\system32\gbie.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F54319CC-FBFE-4ED9-8F8D-FD2049CB34A7}" refers to invalid object "C:\WINNT\system32\ddjdfm.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F7D97FAE-E454-49B2-9288-51CD6041FA21}" refers to invalid object "C:\WINNT\system32\ddjdfm.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FA010552-4A27-4cb1-A1BB-3E2D697F1639}" refers to invalid object "c:\Program Files\interMute\SpySubtract\sshook.dll". Action Taken: No Action Taken.
Entry "HKCR\ActMsg.Session" refers to invalid object "{3FA7DEB3-6438-101B-ACC1-00AA00423326}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Navbho.CNavExtBho" refers to invalid object "{BDF3E430-B101-42AD-A544-FADC6B084872}". Action Taken: No Action Taken.
Entry "HKCR\Navbho.CNavExtBho.1" refers to invalid object "{BDF3E430-B101-42AD-A544-FADC6B084872}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
File C:\DOCUME~1\jasper\LOCALS~1\Temp\ypsr_1.11_us_setup_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\DOCUME~1\jasper\LOCALS~1\Temp\180sainstallernusalm.exe tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\DOCUME~1\jasper\LOCALS~1\Temp\ycomp_5.5.7.0_ypsr_1.10_us_setup_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\DOCUME~1\jasper\LOCALS~1\Temp\ypsr_01.13.00_us_setup_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\45280EE1.exe infected by "Backdoor.Win32.Jeemp.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\452B38DD.exe infected by "Backdoor.Win32.Jeemp.c" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\77CA62CC.class infected by "Trojan.Java.ClassLoader.l" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\77D036C5.class infected by "Exploit.Java.Bytverify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7A1F663B.class infected by "Trojan.Java.ClassLoader.l" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\59B11E6A.class infected by "Trojan.Java.ClassLoader.d" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\60D918FE.htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\60DD42FA.htm infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\72DC2D2B.class infected by "Trojan.Java.ClassLoader.d" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\323E44B5.class infected by "Trojan.Java.ClassLoader.l" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32416EB1.class infected by "Exploit.Java.Bytverify" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\32416EB1.php infected by "Exploit.HTML.Mht" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\324418AE.exe infected by "Trojan-Dropper.Win32.Small.mu" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\37A03FCA.exe infected by "Trojan-Downloader.Win32.Small.np" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\4F7E250C.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\2676042D.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1F1C7353.pif infected by "Backdoor.Win32.Rbot.sl" Virus! Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\1F22474C.pif infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\aawsepersonal.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\YPSR\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\YPSR\updates\ypsr_prog_01.14.00_us_setup_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\YPSR\Unwise32.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Yahoo!\common\unypsr.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Recycled\Q330995.exe infected by "Trojan-Dropper.Win32.Small.hx" Virus! Action Taken: No Action Taken.
File C:\Documents And Settings\jasper\Local Settings\Temp\ypsr_1.11_us_setup_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents And Settings\jasper\Local Settings\Temp\180sainstallernusalm.exe tagged as "not-a-virus:AdWare.180Solutions.g". Action Taken: No Action Taken.
File C:\Documents And Settings\jasper\Local Settings\Temp\ycomp_5.5.7.0_ypsr_1.10_us_setup_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents And Settings\jasper\Local Settings\Temp\ypsr_01.13.00_us_setup_.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINNT\Temp\sp.html tagged as "not-a-virus:AdWare.SearchPage". Action Taken: No Action Taken.
File C:\WINNT\Temp\purnrv.exe infected by "Backdoor.Win32.Rbot.gen" Virus! Action Taken: No Action Taken.
Midnight Star
4.8K Posts
0
July 7th, 2005 12:00
Most of those items can be removed by cleaning out norton's quarantine and running "Cleanup!" by Steven Gould; which we'll do as a final cleanup, but for now, let's do this:
Run HiJackThis then:
1. Click " Config..."
2. Click " Misc Tools"
3. Click " Open Process manager"
-
Next, while holding down the CTRL key, locate ( if present) and click on ( highlight) each of the following:
C:\WINNT\system32\internat.exe
Now double-check and make sure that only those item(s) above are highlighted, then click " Kill process". Now, click " Refresh", check again, and repeat this step if any remain.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O4 - HKLM\..\Run: [Microsoftf DDEs Control] wees.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\Run: [Microsoftz turn Control] read.pif
O4 - HKLM\..\Run: [Microsoftm EEGS Cuntrol] loor.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs Control] wees.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftz turn Control] read.pif
O4 - HKLM\..\RunServices: [Microsoftm EEGS Cuntrol] loor.pif
O4 - HKCU\..\Run: [internat.exe] internat.exe
Now, with all windows closed except HiJackThis, click " Fix checked".
Let's download Silent Runners.vbs to help us locate other malware that might be hidden on your system. Next...
1) Double-click on Silent Runners.vbs.
2) Copy and paste the output to your next reply.
-----
Note: If your Antivirus or another program prompts about running a ".vbs" file, allow the script to run.
Post back a new HiJackThis log, along with the log created by the silent runners script.
==========
Mike.
water5
47 Posts
0
July 7th, 2005 15:00
Many thanks. Here is the HJT log and the Silent Runner Log:
Scan saved at 上午 12:58:37, on 2005/7/8
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\cmd.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Messenger Service] msnmsgr.exe
O4 - HKLM\..\RunServices: [Messenger Service] msnmsgr.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\Ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\rapapp.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe" [null data]
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"Messenger Service" = "msnmsgr.exe" [file not found]
"SpybotSnD" = ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck" ["Safer Networking Limited"]
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\Office\OLKFSTUB.DLL" [MS]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealOne Player\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a?Context Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2FREE~1\A2CONT~1.DLL" [null data]
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ewido\security suite\shellhook.dll" ["TODO: "]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ewido\security suite\context.dll" ["ewido networks"]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Ewido\security suite\context.dll" ["ewido networks"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\A2FREE~1\A2FREE~1\A2CONT~1.DLL" [null data]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Active Desktop and Wallpaper:
-----------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
Enabled Screen Saver:
---------------------
"SCRNSAVE.EXE" = "C:\WINNT\system32\sstext3d.scr" [MS]
Startup items in "jasper" & "All Users" startup folders:
--------------------------------------------------------
"BlackICE PC Protection" -> shortcut to: "C:\Program Files\Network ICE\BlackICE\blackice.exe -closed" ["Internet Security Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
Enabled Scheduled Tasks:
------------------------
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"HP DArC Task #Hewlett-Packard#deskjet3500#TH3CN1229J76" -> launches: "C:\Program Files\HP\hpcoretech\comp\hpdarc.exe /#Hewlett-Packard#deskjet3500#TH3CN1229J76" ["Hewlett-Packard Company"]
Winsock2 Service Provider DLLs:
-------------------------------
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 04, 07 - 12
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06
Toolbars, Explorer Bars, Extensions:
------------------------------------
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" [file not found]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll" ["Yahoo! Inc."]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\msjava.dll" [MS]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ewido security suite control, ewido security suite control, "C:\Program Files\Ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\Ewido\security suite\ewidoguard.exe" ["ewido networks"]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 60 seconds, including 19 seconds for message boxes)
Midnight Star
4.8K Posts
0
July 10th, 2005 16:00
Ok, I don't see anything in the log; let's remove these two entries that I missed in the previous post, and see if that fixes the problem. Are you still having a pop-up problem?
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O4 - HKLM\..\Run: [Messenger Service] msnmsgr.exe
O4 - HKLM\..\RunServices: [Messenger Service] msnmsgr.exe
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
Search for...
msnmsgr.exe
...using " Start | Search...".
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
If you have MSN Messenger installed, uninstall it before searching for the above file (msnmsgr.exe), then re-install it when your system is clean.
-
Mike.
water5
47 Posts
0
July 11th, 2005 15:00
Thanks.
I successfully deleted the msnmsgr.exe file in Safe Mode. Nevertheless, another problem arises.
1. The booting time of the machine is very slow.
2. During the initial phase of the booting, an error message appears ocassionally saying that:
"C\WINNT\System32\Isass.exe terminated unexpectedly with status code 128. The system will re-start."
Then the machine switched off and then re-started automatically. Is it a sign of virus/spyware?
water5
47 Posts
0
July 12th, 2005 12:00
Continue...
#:20 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_06\bin\
ProcessID : 1244
ThreadCreationTime : 2005-7-12 下午 01:29:07
BasePriority : Normal
#:21 [jucheck.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_06\bin\
ProcessID : 1264
ThreadCreationTime : 2005-7-12 下午 01:29:07
BasePriority : Normal
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : UpdateChecker Module
FileDescription : UpdateChecker Module
InternalName : UpdateChecker
LegalCopyright : Copyright 2002
OriginalFilename : UpdateChecker.EXE
FilePath : C:\Program Files\Common Files\Real\Update_OB\
ProcessID : 1280
ThreadCreationTime : 2005-7-12 下午 01:29:07
BasePriority : Normal
FileVersion : 0.1.0.3018
ProductVersion : 0.1.0.3018
ProductName : RealPlayer (32-bit)
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
LegalCopyright : Copyright c RealNetworks, Inc. 1995-2004
LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
OriginalFilename : realsched.exe
FilePath : C:\WINNT\system32\
ProcessID : 1288
ThreadCreationTime : 2005-7-12 下午 01:29:08
BasePriority : Normal
#:24 [blackice.exe]
FilePath : C:\Program Files\Network ICE\BlackICE\
ProcessID : 1360
ThreadCreationTime : 2005-7-12 下午 01:29:08
BasePriority : Normal
FileVersion : 3.6.46
ProductVersion : 3.6
ProductName : Internet Security Systems, Inc. BlackICE
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
LegalCopyright : Copyright ‥ 1999-2003, Internet Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security Systems, Inc.
OriginalFilename : blackice.exe
Comments : Reverse engineering prohibited by license agreement
FilePath : C:\WINNT\System32\
ProcessID : 784
ThreadCreationTime : 2005-7-12 下午 01:30:18
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe
FilePath : C:\
ProcessID : 3112
ThreadCreationTime : 2005-7-12 下午 01:30:35
BasePriority : Normal
#:27 [asm.exe]
FilePath : C:\
ProcessID : 3120
ThreadCreationTime : 2005-7-12 下午 01:30:35
BasePriority : Normal
#:28 [conime.exe]
FilePath : C:\WINNT\system32\
ProcessID : 3176
ThreadCreationTime : 2005-7-12 下午 01:30:39
BasePriority : Normal
FileVersion : 5.00.2195.6655
ProductVersion : 5.00.2195.6655
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Console IME
InternalName : Console
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : CONIME.EXE
FilePath : C:\WINNT\
ProcessID : 340
ThreadCreationTime : 2005-7-12 下午 01:30:42
BasePriority : Normal
FileVersion : 5.00.2195.6707
ProductVersion : 5.00.2195.6707
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Registry Editor
InternalName : REGEDIT
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : REGEDIT.EXE
FilePath : C:\WINNT\
ProcessID : 3224
ThreadCreationTime : 2005-7-12 下午 01:30:45
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 3264
ThreadCreationTime : 2005-7-12 下午 01:30:57
BasePriority : Normal
FileVersion : 6.00.2800.1106
ProductVersion : 6.00.2800.1106
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE
FilePath : C:\WINNT\system32\
ProcessID : 3292
ThreadCreationTime : 2005-7-12 下午 01:32:07
BasePriority : Normal
FileVersion : 5.00.2920.0000
ProductVersion : 5.00.2920.0000
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Keyboard Language Indicator Applet
InternalName : INTERNAT
LegalCopyright : Copyright (C) Microsoft Corp. 1994-1999
OriginalFilename : INTERNAT.EXE
FilePath : C:\Program Files\Network ICE\BlackICE\
ProcessID : 3324
ThreadCreationTime : 2005-7-12 下午 01:32:08
BasePriority : Normal
FileVersion : 3.6.46
ProductVersion : 3.6
ProductName : Internet Security Systems, Inc. BlackICE
CompanyName : Internet Security Systems, Inc.
FileDescription : BlackICE MFC Application
InternalName : BlackICE
LegalCopyright : Copyright ‥ 1999-2003, Internet Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security Systems, Inc.
OriginalFilename : blackice.exe
Comments : Reverse engineering prohibited by license agreement
FilePath : C:\WINNT\
ProcessID : 3152
ThreadCreationTime : 2005-7-12 下午 01:32:16
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Welcome to Windows NT
InternalName : Welcome
LegalCopyright : Copyright (C) Microsoft Corp. 1998-1999
OriginalFilename : WELCOME.EXE
FilePath : C:\Program Files\Internet Explorer\Connection Wizard\
ProcessID : 3352
ThreadCreationTime : 2005-7-12 下午 01:32:45
BasePriority : Normal
FileVersion : 5.00.3502.6602
ProductVersion : 5.00.3502.6602
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Connection Wizard
InternalName : icwconn1
LegalCopyright : Copyright (C) Microsoft Corp. 1991-1999
OriginalFilename : icwconn1.exe
FilePath : C:\WINNT\system32\
ProcessID : 652
ThreadCreationTime : 2005-7-12 下午 01:38:18
BasePriority : Normal
FileVersion : 5.4.3790.20 built by: lab04_n
ProductVersion : 5.4.3790.20
ProductName : MicrosoftR WindowsR Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
LegalCopyright : c Microsoft Corporation. All rights reserved.
OriginalFilename : wuauclt.exe
FilePath : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3272
ThreadCreationTime : 2005-7-12 下午 01:44:35
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright c Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 29
water5
47 Posts
0
July 12th, 2005 12:00
Continue....
Listing running processes
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
FilePath : \SystemRoot\System32\
ProcessID : 152
ThreadCreationTime : 2005-7-12 下午 01:28:12
BasePriority : Normal
#:2 [csrss.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 176
ThreadCreationTime : 2005-7-12 下午 01:28:19
BasePriority : Normal
#:3 [winlogon.exe]
FilePath : \??\C:\WINNT\system32\
ProcessID : 172
ThreadCreationTime : 2005-7-12 下午 01:28:23
BasePriority : High
#:4 [services.exe]
FilePath : C:\WINNT\system32\
ProcessID : 224
ThreadCreationTime : 2005-7-12 下午 01:28:24
BasePriority : Normal
FileVersion : 5.00.2195.6700
ProductVersion : 5.00.2195.6700
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : services.exe
FilePath : C:\WINNT\system32\
ProcessID : 236
ThreadCreationTime : 2005-7-12 下午 01:28:24
BasePriority : Normal
FileVersion : 5.00.2195.6695
ProductVersion : 5.00.2195.6695
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Executable and Server DLL (Export Version)
InternalName : lsasrv.dll and lsass.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : lsasrv.dll and lsass.exe
FilePath : C:\WINNT\system32\
ProcessID : 388
ThreadCreationTime : 2005-7-12 下午 01:28:28
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe
FilePath : C:\WINNT\System32\
ProcessID : 436
ThreadCreationTime : 2005-7-12 下午 01:28:28
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe
FilePath : C:\WINNT\system32\
ProcessID : 488
ThreadCreationTime : 2005-7-12 下午 01:28:29
BasePriority : Normal
FileVersion : 5.00.2195.6659
ProductVersion : 5.00.2195.6659
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolss.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : spoolss.exe
FilePath : C:\Program Files\Common Files\Symantec Shared\
ProcessID : 512
ThreadCreationTime : 2005-7-12 下午 01:28:29
BasePriority : Normal
FileVersion : 1.03.4
ProductVersion : 1.03.4
ProductName : Event Manager
CompanyName : Symantec Corporation
FileDescription : Event Manager Service
InternalName : ccEvtMgr
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : ccEvtMgr.exe
FilePath : C:\Program Files\Network ICE\BlackICE\
ProcessID : 616
ThreadCreationTime : 2005-7-12 下午 01:28:35
BasePriority : Normal
FileVersion : 3.6.317
ProductVersion : 3.6
ProductName : Network ICE Corporation blackd
CompanyName : Internet Security Systems, Inc.
FileDescription : blackd
InternalName : BlackICE Daemon
LegalCopyright : Copyright ‥ 1999-2003, Internet Security Systems, Inc. All rights reserved worldwide.
LegalTrademarks : BlackICE, Internet Security Systems, Inc.
OriginalFilename : blackd.exe
Comments : Reverse engineering prohibited by license agreement
FilePath : C:\Program Files\Ewido\security suite\
ProcessID : 644
ThreadCreationTime : 2005-7-12 下午 01:28:36
BasePriority : Normal
FileVersion : 3, 0, 0, 1
ProductVersion : 3, 0, 0, 1
ProductName : ewido control
CompanyName : ewido networks
FileDescription : ewido control
InternalName : ewido control
LegalCopyright : Copyright c 2004
OriginalFilename : ewidoctrl.exe
FilePath : C:\Program Files\Norton AntiVirus\
ProcessID : 672
ThreadCreationTime : 2005-7-12 下午 01:28:39
BasePriority : Normal
FileVersion : 9.05.1015
ProductVersion : 9.05.1015
ProductName : Norton AntiVirus
CompanyName : Symantec Corporation
FileDescription : Norton AntiVirus Auto-Protect Service
InternalName : NAVAPSVC
LegalCopyright : Copyright (c) 2000-2002 Symantec Corporation. All rights reserved.
OriginalFilename : NAVAPSVC.EXE
FilePath : C:\WINNT\system32\
ProcessID : 792
ThreadCreationTime : 2005-7-12 下午 01:28:43
BasePriority : Normal
#:14 [regsvc.exe]
FilePath : C:\WINNT\system32\
ProcessID : 772
ThreadCreationTime : 2005-7-12 下午 01:28:45
BasePriority : Normal
FileVersion : 5.00.2195.6701
ProductVersion : 5.00.2195.6701
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Remote Registry Service
InternalName : regsvc
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : REGSVC.EXE
FilePath : C:\WINNT\system32\
ProcessID : 864
ThreadCreationTime : 2005-7-12 下午 01:28:46
BasePriority : Normal
FileVersion : 4.71.2195.6704
ProductVersion : 4.71.2195.6704
ProductName : MicrosoftR WindowsR Task Scheduler
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
LegalCopyright : Copyright (C) Microsoft Corp. 1997
OriginalFilename : mstask.exe
FilePath : C:\WINNT\System32\WBEM\
ProcessID : 928
ThreadCreationTime : 2005-7-12 下午 01:28:48
BasePriority : Normal
FileVersion : 1.50.1085.0100
ProductVersion : 1.50.1085.0100
ProductName : Windows Management Instrumentation
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
LegalCopyright : Copyright (C) Microsoft Corp. 1995-1999
FilePath : C:\WINNT\system32\
ProcessID : 964
ThreadCreationTime : 2005-7-12 下午 01:28:49
BasePriority : Normal
FileVersion : 5.00.2134.1
ProductVersion : 5.00.2134.1
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : svchost.exe
FilePath : C:\WINNT\
ProcessID : 1064
ThreadCreationTime : 2005-7-12 下午 01:28:51
BasePriority : Normal
FileVersion : 5.00.3700.6690
ProductVersion : 5.00.3700.6690
ProductName : Microsoft(R) Windows (R) 2000 Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : Copyright (C) Microsoft Corp. 1981-1999
OriginalFilename : EXPLORER.EXE
FilePath : C:\WINNT\system32\
ProcessID : 1180
ThreadCreationTime : 2005-7-12 下午 01:29:03
BasePriority : Normal
water5
47 Posts
0
July 12th, 2005 12:00
Ad-Aware SE Build 1.05
Logfile Created on:2005年7月12日 下午 09:44:51
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R52 30.06.2005
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
Ebates MoneyMaker(TAC index:4):1 total references
Elitum.ElitebarBHO(TAC index:5):10 total references
MRU List(TAC index:0):29 total references
Possible Browser Hijack attempt(TAC index:3):4 total references
Tracking Cookie(TAC index:3):2 total references
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙?
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects
2005-7-12 下午 09:44:51 - Scan started. (Full System Scan)
Location: : C:\Documents and Settings\jasper\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office
MRU List Object Recognized!
Location: : C:\Documents and Settings\jasper\recent
Description : list of recently opened documents
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d
MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X
MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer\main
Description : last save directory used in microsoft internet explorer
MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\player\recentfilelist
Description : list of recently used files in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\player\settings
Description : last open directory used in jasc paint shop pro
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\preferences
Description : last playlist index loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\microsoft management console\recent file list
Description : list of recent snap-ins used in the microsoft management console
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\common\open find\microsoft powerpoint\settings\save as\file name mru
Description : list of recent documents saved by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\open\file name mru
Description : list of recent documents opened by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\common\open find\microsoft word\settings\save as\file name mru
Description : list of recent documents saved by microsoft word
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\excel\recent files
Description : list of recent files used by microsoft excel
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\office\9.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\applets\wordpad\recent file list
Description : list of recent files opened using wordpad
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\nico mak computing\winzip\filemenu
Description : winzip recently used archives
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\realnetworks\realplayer\6.0\preferences
Description : list of recent skins in realplayer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\realnetworks\realplayer\6.0\preferences
Description : list of recent clips in realplayer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\realnetworks\realplayer\6.0\preferences
Description : last login time in realplayer
MRU List Object Recognized!
Location: : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\windows media\wmsdk\general
Description : windows media sdk
water5
47 Posts
0
July 12th, 2005 12:00
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{28caeff3-0f18-4036-b504-51d73bd81abc}
Value :
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{825cf5bd-8862-4430-b771-0c15c5ca8def}
Value :
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{28caeff3-0f18-4036-b504-51d73bd81abc}
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\windows\currentversion\explorer\browser helper objects\{28caeff3-0f18-4036-b504-51d73bd81abc}
Value :
Type : RegValue
Data :
Category : Data Miner
Comment : "AC"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\lq
Value : AC
Type : RegValue
Data :
Category : Data Miner
Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
Rootkey : HKEY_USERS
Object : .DEFAULT\software\microsoft\internet explorer\toolbar\webbrowser
Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF}
Type : RegValue
Data :
Category : Data Miner
Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
Rootkey : HKEY_USERS
Object : S-1-5-21-1004336348-1202660629-452595299-1000\software\microsoft\internet explorer\toolbar\webbrowser
Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF}
Type : RegValue
Data :
Category : Data Miner
Comment : "{825CF5BD-8862-4430-B771-0C15C5CA8DEF}"
Rootkey : HKEY_LOCAL_MACHINE
Object : software\microsoft\internet explorer\toolbar
Value : {825CF5BD-8862-4430-B771-0C15C5CA8DEF}
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 10
Objects found so far: 39
Started deep registry scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Pagesearchmiracle.com
Type : RegData
Data : " http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : " http://searchmiracle.com/sp.php"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\MainSearch Barsearchmiracle.com
Type : RegData
Data : " http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : " http://searchmiracle.com/sp.php"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet Explorer\SearchSearchAssistantsearchmiracle.com
Type : RegData
Data : " http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : " http://searchmiracle.com/sp.php"
Possible Browser Hijack attempt : .DEFAULT\Software\Microsoft\Internet ExplorerSearchURLsearchmiracle.com
Type : RegData
Data : " http://searchmiracle.com/sp.php"
Category : Data Miner
Comment : Possible Browser Hijack attempt
Rootkey : HKEY_USERS
Object : .DEFAULT\Software\Microsoft\Internet Explorer
Value : SearchURL
Data : " http://searchmiracle.com/sp.php"
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 4
Objects found so far: 43
Started Tracking Cookie scan
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Tracking Cookie Object Recognized!
Type : IECache Entry
Data : jasper@centrport[1].txt
Category : Data Miner
Comment : Hits:1
Value : Cookie:jasper@centrport.net/
Expires : 2030-1-1 上午 08:00:00
LastSync : Hits:1
UseCount : 0
Hits : 1
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 1
Objects found so far: 44
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Type : IECache Entry
Data : jasper@centrport[1].txt
Category : Data Miner
Comment :
Value : C:\Documents And Settings\jasper\Cookies\jasper@centrport[1].txt
Type : File
Data : 164636.dll
Category : Data Miner
Comment :
Object : C:\WINNT\Temp\
FileVersion : 1, 0, 0, 60
ProductVersion : 1, 0, 0, 60
ProductName : EliteToolBar Dynamic Link Library
FileDescription : EliteToolBar DLL
InternalName : EliteToolBar
LegalCopyright : Copyright (C) 2004
OriginalFilename : EliteToolBar.DLL
Disk Scan Result for C:\
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 46
Deep scanning and examining files (D:)
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 46
Scanning Hosts file......
Hosts file location:"C:\WINNT\system32\drivers\etc\hosts".
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
0 entries scanned.
New critical objects:0
Objects found so far: 46
Performing conditional scans...
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
New critical objects: 0
Objects found so far: 46
遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙遙
Total scanning time:00:08:53.257
Objects scanned:71832
Objects identified:17
Objects ignored:0
New critical objects:17
Midnight Star
4.8K Posts
0
July 12th, 2005 13:00
I can see! I think we had this very same problem last year with AboutBlank on your system ... :( Post back a new HiJackThis log and let's see what we have (should be the same as before, if i'm reading the AdAware log correctly).
I might not be able to spend much more time on this, since i'm currently working another problem that's requiring quite a bit of research - i'll take a few more looks, and if it seems like a rampant dll (hidden and causing problems), i'll see if I can turn this thread over to someone who can dedicate more time to helping you locate and remove it.
==========
Mike
water5
47 Posts
0
July 12th, 2005 14:00
Thanks for all your helps. Here is the latest HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 下午 10:59:32, on 2005/7/12
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Network ICE\BlackICE\blackd.exe
C:\Program Files\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\Netlib.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\system32\msnmsgr.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Network ICE\BlackICE\blackice.exe
C:\Program Files\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Security Oanagers] svghostb.exe
O4 - HKLM\..\Run: [Messenger Service] msnmsgr.exe
O4 - HKLM\..\RunServices: [Microsoft Security Oanagers] svghostb.exe
O4 - HKLM\..\RunServices: [Messenger Service] msnmsgr.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\Network ICE\BlackICE\blackice.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Net Functions Library (Netlib) - Unknown owner - C:\WINNT\system32\Netlib.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\Network ICE\BlackICE\rapapp.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Midnight Star
4.8K Posts
0
July 14th, 2005 12:00
Sorry for taking so long to get back with you, but i've been really tied up, and will be for the next few days or so. Let me get you off where someone can help you with this cleanup. Go here:
www.malwareremoval.com
Register, and post you log in the HiJackThis forum. Someone will be there shortly after the post to help you. Be sure to add a link in the initial post to the thread here at Dell so they can get a quick idea of what we've tried to do.
==========
Mike.