Ran Ad-Aware 600 objects found. NAV also ran no viruses found.System lags on boot up. When I remove items let me know if I must disable system restore.
Kazaa Lite has been removed. Virtual Bouncer in task manager, also seen a dialer.
Needs some work.
Thank You
geministars
Logfile of HijackThis v1.97.7
Scan saved at 11:41:25 AM, on 3/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Mini-Golf\LoadGolfCourses.exe
C:\WINDOWS\System32\IEDriver\IEDriver.exe
C:\Program Files\RVP\bpc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\uptodate.exe
C:\Program Files\Common files\updater\wupdater.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\n-CASE\msbb.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\SuperBar\sbhc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\rundll16.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\INTERN~2\iw.exe
C:\Documents and Settings\User\Application Data\aene.exe
C:\Program Files\Common Files\PSD Tools\blengine.exe
C:\PROGRA~1\CLOCKS~1\Sync.exe
C:\WINDOWS\System32\snetobjm.exe
C:\WINDOWS\System32\wnsintit.exe
C:\WINDOWS\System32\Hcj2s6.exe
C:\Program Files\Popup Guard\PG.exe
C:\Program Files\Common Files\Vantage Software\VSSched.exe
C:\WINDOWS\System32\Phed4.exe
C:\Program Files\VBouncer\VirtualBouncer.exe
C:\Program Files\SysAI\SysAI.exe
C:\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.inet-pc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=...=15584419216811
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50024
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {01C5BF6C-E699-4CD7-BEA1-786FA05C83AB} - C:\Program Files\SysAI\AproposPlugin.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0DDBB570-0396-44C9-986A-8F6F61A51C2F} - C:\WINDOWS\System32\msiefr40.dll
O2 - BHO: (no name) - {136A9D1D-1F4B-43D4-8359-6F2382449255} - (no file)
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F443} - (no file)
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
O2 - BHO: (no name) - {562C1A20-72E7-4ED8-A26D-0DC57415FE92} - C:\Program Files\Popup Guard\PGI.dll
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {80672997-D58C-4190-9843-C6C61AF8FE97} - C:\WINDOWS\rundll16.dll
O2 - BHO: Httper - {A5483501-070C-41DD-AF44-9BD8864B3015} - C:\Program Files\Httper\httper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F5195E2D-6EA9-4012-A21E-7DA26BA17338} - C:\WINDOWS\System32\tframebuf.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O3 - Toolbar: (no name) - {2CF0B992-5EEB-4143-99C0-5297EF71F444} - (no file)
O3 - Toolbar: SuperBar - {068FD1DC-7BF9-4796-8CEE-6EE54D3EFC9A} - C:\Program Files\SuperBar\SuperBar.Dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [win32app] C:\WINDOWS\System32\winpup32.exe
O4 - HKLM\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Belt] C:\WINDOWS\Belt.exe
O4 - HKLM\..\Run: [LoadGolfCourses] C:\Program Files\Mini-Golf\LoadGolfCourses.exe
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe
O4 - HKLM\..\Run: [RVP] "C:\Program Files\RVP\bpc.exe"
O4 - HKLM\..\Run: [{2CF0B992-5EEB-4143-99C0-5297EF71F444}] rundll32.exe C:\WINDOWS\System32\stlbdist.DLL,DllRunMain
O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe
O4 - HKLM\..\Run: [WhenUSave] C:\PROGRA~1\Save\Save.exe
O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe
O4 - HKLM\..\Run: [3RRFNL#2JLEC87] C:\WINDOWS\System32\Tspif2Ng.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [msbb] C:\Program Files\n-CASE\msbb.exe
O4 - HKLM\..\Run: [LOSVY] C:\WINDOWS\LOSVY.exe
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [SBHC] C:\Program Files\SuperBar\sbhc.exe
O4 - HKLM\..\Run: [Rundll32_7] rundll32.exe C:\WINDOWS\System32\msiefr40.dll,DllRunServer
O4 - HKLM\..\Run: [WZADGJ] C:\WINDOWS\WZADGJ.exe
O4 - HKLM\..\Run: [Rundll16] C:\WINDOWS\rundll16.exe
O4 - HKLM\..\Run: [snetobjm] C:\WINDOWS\System32\snetobjm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Internet Washer Pro] C:\PROGRA~1\INTERN~2\iw.exe min
O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKCU\..\Run: [svc] C:\WINDOWS\System32\svc.exe
O4 - HKCU\..\Run: [Ttao] C:\Documents and Settings\User\Application Data\aene.exe
O4 - HKCU\..\Run: [BLMessagingIntegration] C:\Program Files\Common Files\PSD Tools\blengine.exe
O4 - HKCU\..\Run: [ClockSync] C:\PROGRA~1\CLOCKS~1\Sync.exe /q
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintit.exe
O4 - HKCU\..\Run: [Vantage Popup Guard] C:\Program Files\Popup Guard\PG.exe
O4 - HKCU\..\Run: [VSheduler] C:\Program Files\Common Files\Vantage Software\VSSched.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Virtual Bouncer.lnk = C:\Program Files\VBouncer\VirtualBouncer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PrecisionTime.lnk = C:\Program Files\PrecisionTime\PrecisionTime.exe
O4 - Global Startup: Date Manager.lnk = C:\Program Files\Date Manager\DateManager.exe
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: LoadGolfCourses
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.inet-pc.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {17176065-B807-4CF1-BF1C-B85008597878} (Dialer Class) - http://www.paysol.it/dialer/tuoweb.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - http://www.cabeagent.com/netagent/objects/custappx2.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.contenidoxxx.com/dialerspa.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06a42349f138cc9e1118/netzip/RdxIE2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://208.191.228.101/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7614.4035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
Full Version: New Post - Many popups
Hi geministars,
That is still a heavily infested PC. I do not recommend diabling System Restore until AFTER the PC is clean and all programs are verified running smoothly and the PC can connect to the internet ok. The reason for this is, disabling system restore leaves you NO restore point until you re-enable it. If the removal process of all this spyware creates a problem (and sometimes it can), then you have no point to go back to. Granted, you may have to go back and start over with the clean up, but at least you will have a functioning point to go back to. At the end of the cleaning process is when I would disable System Restore, reboot and immediately re-enable it to create the new restore point.
Now, to clean up that PC
Please do the following, in this order.
1. Download and run the fix tool for the Peper trojan:
http://www.memorywatcher.com/uninst.exe
Also available here:
http://zerosrealm.com/downloads/uninst.exe
Double click on 'uninst.exe', let it run and terminate. You must be online to have this work and do not block any attempts for the program to connect to internet if your firewall requests access.
................................................................
2. Go to Add/remove programs in the Control Panel and remove any of the following (if found)
Delphin Media Viewer
Pomulgate or
PGate
.................................................................
3. Next, please download and run this free cleaner
Blmi/Osama Cleaner
http://www.jayloden.com/Blmi.htm
To remove the virus:
a) First, download the REMOVAL TOOL and simply double click it.
http://www.jayloden.com/BlmiFix.exe
b)If you need to manually remove the virus or want to double check the effectiveness of the removal tool, continue to the next step.
c)Press CTRL ALT DEL (CTRL SHIFT ESC if you are on Windows 2000 or XP) to open the "task manager" in windows.
d) Look for a process called "blengine", "ChannelUp" (if you are on 2000 or XP, it will be under the "processes" tab - not applications, and will be called blengine.exe or ChannelUp.exe)
e) Select any of the files listed above if you have them, and then click "end task" on the task manager. This will close down the virus file from running.
f) To manually delete the files, go to C:\Program Files\Common Files and delete the the contents of the folder called "PSD Tools" (you may be unable to delete a couple of the files, just be sure to delete at least blengine.exe and channelup.exe, and you should be able to delete the remaining files after you restart your computer.
...................................
4, Next, Reboot the PC
.........................................
5. There is still a lot on junk on that PC that is detected and removed by Adaware. It may take more than one scan and reboot (or, I suspect you have an old build and/or not the latest updates for it).
Check Adaware for Build 1.81 (in the Bottom Right hand corner of the opening Screen.) If not you have an old Version of Adaware and need to uninstall/reinstall the Version 6.0 build 1.81.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
After download and installing first, please update the program. It is critical to get the updates first before scanning Just open Adaware and click on *Check for Updates Now* and then *Continue*. Let them download and install......You should see Reference file 01R269 16.03.2004 loaded This tells you that you do have the latest update.
Then make sure you are offline, with no browsers open and press the *Scan now* button. Let it fix what it finds.
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
.......................................................
6. Next
Download Spybot Search and Destroy
http://www.safer-networking.org/
How to Use Spybot
(click on the Tutorial link at the top in the program)
How to Update Spybot
http://www.safer-networking.org/index.php?...o&detail=update
1. Click on 'Online' in the navigation bar,
2. Click on 'Update',
3. Search for available updates,
4. Select ALL available updates,
5. Select a download location nearest to you,
6. Download the selected updates.
Updates will be installed without any further action needed.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED
............................
7. Now, please reboot once more. Scan again with HijackThis and post a fresh log back here to see what remains.
P.S. Even a properly updated Norton AV would have detected some of the malware above. I suggest you check the version and most recent updates to that program as well.
That is still a heavily infested PC. I do not recommend diabling System Restore until AFTER the PC is clean and all programs are verified running smoothly and the PC can connect to the internet ok. The reason for this is, disabling system restore leaves you NO restore point until you re-enable it. If the removal process of all this spyware creates a problem (and sometimes it can), then you have no point to go back to. Granted, you may have to go back and start over with the clean up, but at least you will have a functioning point to go back to. At the end of the cleaning process is when I would disable System Restore, reboot and immediately re-enable it to create the new restore point.
Now, to clean up that PC
Please do the following, in this order.
1. Download and run the fix tool for the Peper trojan:
http://www.memorywatcher.com/uninst.exe
Also available here:
http://zerosrealm.com/downloads/uninst.exe
Double click on 'uninst.exe', let it run and terminate. You must be online to have this work and do not block any attempts for the program to connect to internet if your firewall requests access.
................................................................
2. Go to Add/remove programs in the Control Panel and remove any of the following (if found)
Delphin Media Viewer
Pomulgate or
PGate
.................................................................
3. Next, please download and run this free cleaner
Blmi/Osama Cleaner
http://www.jayloden.com/Blmi.htm
To remove the virus:
a) First, download the REMOVAL TOOL and simply double click it.
http://www.jayloden.com/BlmiFix.exe
b)If you need to manually remove the virus or want to double check the effectiveness of the removal tool, continue to the next step.
c)Press CTRL ALT DEL (CTRL SHIFT ESC if you are on Windows 2000 or XP) to open the "task manager" in windows.
d) Look for a process called "blengine", "ChannelUp" (if you are on 2000 or XP, it will be under the "processes" tab - not applications, and will be called blengine.exe or ChannelUp.exe)
e) Select any of the files listed above if you have them, and then click "end task" on the task manager. This will close down the virus file from running.
f) To manually delete the files, go to C:\Program Files\Common Files and delete the the contents of the folder called "PSD Tools" (you may be unable to delete a couple of the files, just be sure to delete at least blengine.exe and channelup.exe, and you should be able to delete the remaining files after you restart your computer.
...................................
4, Next, Reboot the PC
.........................................
5. There is still a lot on junk on that PC that is detected and removed by Adaware. It may take more than one scan and reboot (or, I suspect you have an old build and/or not the latest updates for it).
Check Adaware for Build 1.81 (in the Bottom Right hand corner of the opening Screen.) If not you have an old Version of Adaware and need to uninstall/reinstall the Version 6.0 build 1.81.
Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/
After download and installing first, please update the program. It is critical to get the updates first before scanning Just open Adaware and click on *Check for Updates Now* and then *Continue*. Let them download and install......You should see Reference file 01R269 16.03.2004 loaded This tells you that you do have the latest update.
Then make sure you are offline, with no browsers open and press the *Scan now* button. Let it fix what it finds.
Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.
.......................................................
6. Next
Download Spybot Search and Destroy
http://www.safer-networking.org/
How to Use Spybot
(click on the Tutorial link at the top in the program)
How to Update Spybot
http://www.safer-networking.org/index.php?...o&detail=update
1. Click on 'Online' in the navigation bar,
2. Click on 'Update',
3. Search for available updates,
4. Select ALL available updates,
5. Select a download location nearest to you,
6. Download the selected updates.
Updates will be installed without any further action needed.
Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED
............................
7. Now, please reboot once more. Scan again with HijackThis and post a fresh log back here to see what remains.
P.S. Even a properly updated Norton AV would have detected some of the malware above. I suggest you check the version and most recent updates to that program as well.
I have completed the removal instructions and computer is better. There is no lag when trying to close or minimize a window and computer boots faster.
The question I have is that before I posted the log I checked to see if the computer had latest definitions and it did. The files that needed to be downloaded were LiveReg and LiveUpdate which I take are program files and I did them manually. Then I ran scan and nothing was found and posted log. I have heard that you should always have latest definitions for anti virus which the computer did and only did not have LiveReg and LiveUpdate. I looked in Quarantine area today and there were 208 items there dating back to 7/2003 mostly Trojan findings. Evidently the virus scanner was doing its job and it was on Autoprotect also.This is NAV 2003 and the LiveUpdate feature is turned on. So regardless of the Liveupdate and LiveReg that had to be downloaded manually the computer did have latest definitions. If you dont have all the other updates then the latest definitions are no help?
I would like to congratulate Calamity Jane :thumb: on the thorough instructions that I received to help with the problems computer was having as it was no doubt a mess. I have read her solutions to other posts and she is a great help to this board. :thumb:
Is it possible for Calamity Jane to anser my question?
Thank You
geministars
Logfile of HijackThis v1.97.7
Scan saved at 11:18:40 AM, on 3/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\WINDOWS\System32\wnsintit.exe
C:\Program Files\Common Files\Vantage Software\VSSched.exe
C:\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.inet-pc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintit.exe
O4 - HKCU\..\Run: [VSheduler] C:\Program Files\Common Files\Vantage Software\VSSched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.inet-pc.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {17176065-B807-4CF1-BF1C-B85008597878} - http://www.paysol.it/dialer/tuoweb.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} - http://www.cabeagent.com/netagent/objects/custappx2.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.contenidoxxx.com/dialerspa.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06a42349f138cc9e1118/netzip/RdxIE2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://208.191.228.101/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7614.4035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
The question I have is that before I posted the log I checked to see if the computer had latest definitions and it did. The files that needed to be downloaded were LiveReg and LiveUpdate which I take are program files and I did them manually. Then I ran scan and nothing was found and posted log. I have heard that you should always have latest definitions for anti virus which the computer did and only did not have LiveReg and LiveUpdate. I looked in Quarantine area today and there were 208 items there dating back to 7/2003 mostly Trojan findings. Evidently the virus scanner was doing its job and it was on Autoprotect also.This is NAV 2003 and the LiveUpdate feature is turned on. So regardless of the Liveupdate and LiveReg that had to be downloaded manually the computer did have latest definitions. If you dont have all the other updates then the latest definitions are no help?
I would like to congratulate Calamity Jane :thumb: on the thorough instructions that I received to help with the problems computer was having as it was no doubt a mess. I have read her solutions to other posts and she is a great help to this board. :thumb:
Is it possible for Calamity Jane to anser my question?
Thank You
geministars
Logfile of HijackThis v1.97.7
Scan saved at 11:18:40 AM, on 3/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\WINDOWS\system32\pcs\pcsvc.exe
C:\WINDOWS\System32\wnsintit.exe
C:\Program Files\Common Files\Vantage Software\VSSched.exe
C:\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.inet-pc.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintit.exe
O4 - HKCU\..\Run: [VSheduler] C:\Program Files\Common Files\Vantage Software\VSSched.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.inet-pc.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {17176065-B807-4CF1-BF1C-B85008597878} - http://www.paysol.it/dialer/tuoweb.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} - http://www.cabeagent.com/netagent/objects/custappx2.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.contenidoxxx.com/dialerspa.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06a42349f138cc9e1118/netzip/RdxIE2.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://208.191.228.101/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7614.4035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
Oh WOW - that looks a lot better now geministars :)
I was mainly concerned about having the latest updates for Adaware and Spybot as they would get the most. NAV has just started adding spyware and adware to their defs, so they still have some catching up to do to the Antispyware programs. In any case, something wiped out a lot of junk and that is good. The following should take care of the rest.
But first, could you or the person whose PC this is, send these files to me in a zip file? I'm pretty sure they are bad but would like to have them analyzed to be sure. I've sent you a PM with my email addy to send them to. Thanks
Put these in a zip file and send to me:
C:\WINDOWS\winppr32.exe <---Edit Nevermind...that one is the virus SoBig-F
C:\WINDOWS\System32\wnsintit.exe
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintit.exe
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06a42349f138cc9e1118/netzip/RdxIE2.cab
..................................
Reboot your PC
Delete the following files and/or folders named in bold
C:\PROGRA~1\Toolbar (folder)
C:\WINDOWS\system32\pcs (folder)
C:\WINDOWS\winppr32.exe (file)
............................
Scan once more with HijackThis to make sure we got everything.
I was mainly concerned about having the latest updates for Adaware and Spybot as they would get the most. NAV has just started adding spyware and adware to their defs, so they still have some catching up to do to the Antispyware programs. In any case, something wiped out a lot of junk and that is good. The following should take care of the rest.
But first, could you or the person whose PC this is, send these files to me in a zip file? I'm pretty sure they are bad but would like to have them analyzed to be sure. I've sent you a PM with my email addy to send them to. Thanks
Put these in a zip file and send to me:
C:\WINDOWS\winppr32.exe <---Edit Nevermind...that one is the virus SoBig-F
C:\WINDOWS\System32\wnsintit.exe
Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM\..\Run: [Pcsv] C:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKCU\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintit.exe
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} - http://stream1000.babenet.com/cabs/videox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06a42349f138cc9e1118/netzip/RdxIE2.cab
..................................
Reboot your PC
Delete the following files and/or folders named in bold
C:\PROGRA~1\Toolbar (folder)
C:\WINDOWS\system32\pcs (folder)
C:\WINDOWS\winppr32.exe (file)
............................
Scan once more with HijackThis to make sure we got everything.
SoBig-F
http://securityresponse.symantec.com/avcen...sobig.f@mm.html
Removal Tool
http://securityresponse.symantec.com/avcen...moval.tool.html
And here are some online AV scanners
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/
eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx
The currently installed NAV program must be not working right. I would recommend uninstall/reinstall after getting the virus off of there. Get the updates and scan the system again.
http://securityresponse.symantec.com/avcen...sobig.f@mm.html
Removal Tool
http://securityresponse.symantec.com/avcen...moval.tool.html
And here are some online AV scanners
Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm
Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com
RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/
eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx
The currently installed NAV program must be not working right. I would recommend uninstall/reinstall after getting the virus off of there. Get the updates and scan the system again.
This is my log after using your removal instructions.
Is there anthing else that needs to be done?
Thank you.
geministars
Logfile of HijackThis v1.97.7
Scan saved at 8:24:10 AM, on 3/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Vantage Software\VSSched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.inet-pc.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [VSheduler] C:\Program Files\Common Files\Vantage Software\VSSched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.inet-pc.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {17176065-B807-4CF1-BF1C-B85008597878} - http://www.paysol.it/dialer/tuoweb.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} - http://www.cabeagent.com/netagent/objects/custappx2.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.contenidoxxx.com/dialerspa.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://208.191.228.101/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7614.4035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
Is there anthing else that needs to be done?
Thank you.
geministars
Logfile of HijackThis v1.97.7
Scan saved at 8:24:10 AM, on 3/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Vantage Software\VSSched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.inet-pc.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [VSheduler] C:\Program Files\Common Files\Vantage Software\VSSched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.inet-pc.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {17176065-B807-4CF1-BF1C-B85008597878} - http://www.paysol.it/dialer/tuoweb.cab
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} - http://www.cabeagent.com/netagent/objects/custappx2.CAB
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.contenidoxxx.com/dialerspa.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://208.191.228.101/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7614.4035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
With all browsers closed, mark this item and have HijackThis *fix checked
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.contenidoxxx.com/dialerspa.cab
..........................
Reboot the PC
Inquire qbout these two:
O16 - DPF: {17176065-B807-4CF1-BF1C-B85008597878} - http://www.paysol.it/dialer/tuoweb.cab <---appears to be a dialer on an Italian website? Ask your user about this one. It doesn't show up in my restricted zone for IESPYAD, but I do question it.
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} - http://www.cabeagent.com/netagent/objects/custappx2.CAB <--This one DOES show up in my Restricted zone but is not tagged as spyware according to SpywareBlaster. Ask about it too.
If he doesn't know what they are or what program needs them I would get rid of them.
FYI 016 items are Downloaded programs via ActiveX. Even if deleted they can be brought back when visiting the website it will try to download it again, which can be allowed for a legitimate application. So these are not to harmful to get rid of.
Everything else looks good.
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.contenidoxxx.com/dialerspa.cab
..........................
Reboot the PC
Inquire qbout these two:
O16 - DPF: {17176065-B807-4CF1-BF1C-B85008597878} - http://www.paysol.it/dialer/tuoweb.cab <---appears to be a dialer on an Italian website? Ask your user about this one. It doesn't show up in my restricted zone for IESPYAD, but I do question it.
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} - http://www.cabeagent.com/netagent/objects/custappx2.CAB <--This one DOES show up in my Restricted zone but is not tagged as spyware according to SpywareBlaster. Ask about it too.
If he doesn't know what they are or what program needs them I would get rid of them.
FYI 016 items are Downloaded programs via ActiveX. Even if deleted they can be brought back when visiting the website it will try to download it again, which can be allowed for a legitimate application. So these are not to harmful to get rid of.
Everything else looks good.
Removed 3 items, let me know how it looks.
Thank you.
geministars
Logfile of HijackThis v1.97.7
Scan saved at 10:13:07 AM, on 3/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Vantage Software\VSSched.exe
C:\Documents and Settings\User\Application Data\aene.exe
C:\WINDOWS\System32\winservn.exe
C:\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.inet-pc.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [VSheduler] C:\Program Files\Common Files\Vantage Software\VSSched.exe
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - HKCU\..\Run: [Ttao] C:\Documents and Settings\User\Application Data\aene.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.inet-pc.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://208.191.228.101/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7614.4035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
Thank you.
geministars
Logfile of HijackThis v1.97.7
Scan saved at 10:13:07 AM, on 3/19/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Common Files\Vantage Software\VSSched.exe
C:\Documents and Settings\User\Application Data\aene.exe
C:\WINDOWS\System32\winservn.exe
C:\Hijack This\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.inet-pc.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKCU\..\Run: [VSheduler] C:\Program Files\Common Files\Vantage Software\VSSched.exe
O4 - HKCU\..\Run: [ContentService] C:\WINDOWS\System32\winservn.exe
O4 - HKCU\..\Run: [Ttao] C:\Documents and Settings\User\Application Data\aene.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.inet-pc.com
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - http://www.isqft.com/Applets/ScriptX/ScriptX.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} - http://208.191.228.101/activex/AxisCamControl.ocx
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7614.4035763889
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.