Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Unknown spyware (HJT log attached)

  1. #1
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Post Unknown spyware (HJT log attached)

    Hi there,

    I'm hoping you can help me get rid of my popup problems.
    I am getting popups whenever I start IE & during continued use. They mostly are for 2 sites - adultfriendfinder.com & partypoker.com

    I've run Spybot S&D with the latest definitions and it picks up nothing, my system is also immunized with S&D as per the latest definitions.
    On top of this I run Spywareblaster & I have done a full system scan with Ad-aware as well - nothing picked up there either.

    I use the AVG free edition which again hasn't picked up anything and an online virus scan (Trend Micro Online Scan) showed nothing either.

    Here's my Hijackthis log:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:35:45 PM, on 2005/11/29
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    D:\Program Files\Executive Software\Diskeeper\DkService.exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\WINDOWS\system32\SLEE401.exe
    D:\WINDOWS\system32\SLEE503.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\D-Tools\daemon.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    D:\Program Files\NetLimiter\NetLimiter.exe
    D:\WINDOWS\system32\RUNDLL32.EXE
    D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    d:\progra~1\intern~1\iexplore.exe
    D:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    D:\Program Files\Internet Explorer\iexplore.exe
    D:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Downloads\Incoming\hijackthis_199\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.93.174.105:553
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {C66A14F2-AFAF-A989-453B-A8DEA25F0D84} - D:\DOCUME~1\BATTOU~1\APPLIC~1\GRIDBY~1\Road corn.exe
    O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - D:\WINDOWS\system32\s1932.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - D:\WINDOWS\system32\s1932.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
    O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [BOLDKNOBAIMPING] D:\Documents and Settings\All Users\Application Data\SiteRectBoldKnob\Shim Proxy.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\Run: [second copy] D:\DOCUME~1\BATTOU~1\APPLIC~1\UPOPEN~1\ItchMemo.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
    O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2004\\AddUrl.html
    O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2004\\Wizard.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
    O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: StumbleUpon: &Blog This - res://D:\WINDOWS\system32\s1932.dll/blogimage
    O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.stumbleupon.com
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120561587140
    O17 - HKLM\System\CCS\Services\Tcpip\..\{11560AEA-FB31-4BF2-93FF-06C3DA8AA479}: NameServer = 192.168.0.1
    O17 - HKLM\System\CCS\Services\Tcpip\..\{88C28E58-D9E2-407D-9CC8-AF3DD9270922}: NameServer = 196.25.255.34 196.25.255.3
    O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Steganos Live Encryption Engine (Version 401) [Service] (SLEE_401_SERVICE) - Unknown owner - D:\WINDOWS\system32\SLEE401.exe
    O23 - Service: Steganos Live Encryption Engine (Version 503) [Service] (SLEE_503_SERVICE) - Unknown owner - D:\WINDOWS\system32\SLEE503.exe
    O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hello

    Look in addremove programs for "Search Plugin: , if there uninstall it

    Go here and submit these files. let us know what if anything is found
    D:\WINDOWS\system32\SLEE401.exe
    D:\WINDOWS\system32\SLEE503.exe
    http://www.virustotal.com/flash/index_en.html

    Keep us informed

  3. #3
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default

    Hi,

    Search plugin was indeed in add/remov progz - I removed it and so far it seems to have fixed the issue !

    These 2:

    D:\WINDOWS\system32\SLEE401.exe
    D:\WINDOWS\system32\SLEE503.exe

    are the Steganos Live Encryption engine - they're to decrypt encrypted files, so no problem there - I installed that myself.

    Seems fixed for now, if something comes up again I'll be back.

    Thanks so much for taking the time, thanks to your help I'm rid of a very annoying pain in the ass. Keep up the good work, its very much appreciated by myself and I'm sure thousands of others you help.


  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Good

    Can i see another log after you update suns java please, its important for security issues
    Click download now: http://java.com/en/download/index.jsp

  5. #5
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default

    Oh, by the way. I'm sure you know this already, but to uninstall the "Search Plugin" in control panel I first had to enter an OCR code (blurred numbers like on forum signups). Out of interest - is this why programs such as spybot cannot nuke the bastard? I imagine so, as its the same sorta of method used by (mainly adult) sites to prevent software based brute force attacks. But since this is a little different I thought there must be another way for a program such as s&d to get rid of it - I imagine its a new one though since it doesn't even show up in the scan...?

    If you dont have time to answer my questions I understand, I'm just interested to roughly understand how this malware operates.

    Off on holiday for a week, thanks again mate

    - Just saw your reply, will do that first -
    Last edited by tripex; 2005-12-03 at 03:54.

  6. #6
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default

    Alright, updated java and heres the new log:

    Logfile of HijackThis v1.99.1
    Scan saved at 03:47:34 AM, on 2005/12/03
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    D:\WINDOWS\System32\smss.exe
    D:\WINDOWS\system32\winlogon.exe
    D:\WINDOWS\system32\services.exe
    D:\WINDOWS\system32\lsass.exe
    D:\WINDOWS\system32\svchost.exe
    D:\WINDOWS\System32\svchost.exe
    D:\WINDOWS\system32\spoolsv.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    D:\Program Files\Executive Software\Diskeeper\DkService.exe
    D:\Program Files\ewido\security suite\ewidoctrl.exe
    D:\WINDOWS\system32\nvsvc32.exe
    D:\WINDOWS\system32\SLEE401.exe
    D:\WINDOWS\system32\SLEE503.exe
    D:\WINDOWS\Explorer.EXE
    D:\Program Files\D-Tools\daemon.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    D:\WINDOWS\system32\RUNDLL32.EXE
    D:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
    D:\Program Files\Samsung\Digimax Viewer 1.0\DigimaxViewer.exe
    D:\WINDOWS\system32\svchost.exe
    D:\Program Files\Eraser\eraser.exe
    D:\WINDOWS\system32\msiexec.exe
    C:\Downloads\Incoming\hijackthis_199\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.93.174.105:553
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - D:\PROGRA~1\FlashGet\jccatch.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar1.dll
    O2 - BHO: Toolbar Helper - {D44BBB61-E17F-4AE6-A502-8D7E0B29E616} - D:\WINDOWS\system32\s1932.dll
    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\fgiebar.dll
    O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - D:\WINDOWS\system32\s1932.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033
    O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Resume copy] copyfstq.exe /startup
    O4 - HKLM\..\Run: [NetLimiter] D:\Program Files\NetLimiter\NetLimiter.exe /s
    O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [SunJavaUpdateSched] D:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKCU\..\Run: [STYLEXP] D:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - HKCU\..\RunOnce: [remititit2876] D:\WINDOWS\system32\command.com /c del D:\DOCUME~1\BATTOU~1\APPLIC~1\UPOPEN~1\1701.del
    O4 - HKCU\..\RunOnce: [remititit26982] D:\WINDOWS\system32\command.com /c del D:\DOCUME~1\BATTOU~1\APPLIC~1\UPOPEN~1\1701.del
    O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digimax Viewer 1.0.lnk = ?
    O8 - Extra context menu item: &Google Search - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://D:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://D:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://D:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Download All by FlashGet - D:\Program Files\FlashGet\jc_all.htm
    O8 - Extra context menu item: Download using FlashGet - D:\Program Files\FlashGet\jc_link.htm
    O8 - Extra context menu item: Download using LeechGet - file://D:\Program Files\LeechGet 2004\\AddUrl.html
    O8 - Extra context menu item: Download using LeechGet Wizard - file://D:\Program Files\LeechGet 2004\\Wizard.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Parse with LeechGet - file://D:\Program Files\LeechGet 2004\\Parser.html
    O8 - Extra context menu item: Similar Pages - res://D:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: StumbleUpon: &Blog This - res://D:\WINDOWS\system32\s1932.dll/blogimage
    O8 - Extra context menu item: Translate Page into English - res://D:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - D:\PROGRA~1\FlashGet\flashget.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.stumbleupon.com
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1120561587140
    O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/pro...anner37440.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{88C28E58-D9E2-407D-9CC8-AF3DD9270922}: NameServer = 196.25.255.34 196.25.255.3
    O23 - Service: Adobe LM Service - Unknown owner - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - D:\Program Files\Executive Software\Diskeeper\DkService.exe
    O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Steganos Live Encryption Engine (Version 401) [Service] (SLEE_401_SERVICE) - Unknown owner - D:\WINDOWS\system32\SLEE401.exe
    O23 - Service: Steganos Live Encryption Engine (Version 503) [Service] (SLEE_503_SERVICE) - Unknown owner - D:\WINDOWS\system32\SLEE503.exe
    O23 - Service: StyleXPService - Unknown owner - D:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

  7. #7
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Its called Lop, has been around for quite awhile, the reason its hard to target is becouse of the random folder and file names
    Its is usualy installed by adware supported programs, such as messengerplus.

    Check to see if these are still present, if so delete them
    D:\Documents and Settings\All Users\Application Data\SiteRectBoldKnob\Shim Proxy.exe
    D:\DOCUME~1\BATTOU~1\APPLIC~1\UPOPEN~1\ItchMemo.exe

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    Great, now start the uninstall of suns java via addremove programs and uninstall all but the most recent version,

    Happy surfing

  9. #9
    Junior Member
    Join Date
    Nov 2005
    Posts
    0

    Default

    I see, thanks for the info.

    Ok, I didn't find either one in those locations but I did a search for the filenames on top of that and found:

    D:\WINDOWS|Prefetch\SHIM PROXY.EXE-0276740A.pf
    D:\WINDOWS|Prefetch\ITCHMEMO.EXE-35678BAB.pf

    I take it I should delete those as well?

    -And I removed the old java installs-

  10. #10
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi

    No, no need to mess with files in prefetch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •