PDA

View Full Version : Command Service



Wobin
2005-12-28, 16:06
Well, i read a great deal of all the posts concerning this malware. I also read the posts in which was told this is not malware. But i want to make sure.
I did a full Norton scan. The only thing it couldn't remove was a file called: 'C:\WINDOWS\system32\ppiaoa.exe'
If i try a system restore, it isn't able to restore to a previous point. I m a little confused at the moment. Thanks for your help in advance!

Here are my logs:

Spybot:
--------

CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
HKEY_USERSS-1-5-21-527237240-1383384898-682003330-1003\Software\Microsoft\Internet Explorer\Main\Local Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-527237240-1383384898-682003330-1003\Software\Microsoft\Internet Explorer\Main\Start Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_USERSS-1-5-21-527237240-1383384898-682003330-1003\Software\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

CoolWWWSearch.WCADW: IE Search page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Local Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Start Page=about:blank

CoolWWWSearch.WCADW: IE start page (Registry change, fixed)
HKEY_LOCAL_MACHINESoftware\Microsoft\Internet Explorer\Main\Default_Page_URL=about:blank

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService

HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: default) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-10 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-12-23 Includes\Cookies.sbi (*)
2005-12-23 Includes\Dialer.sbi (*)
2005-12-23 Includes\Hijackers.sbi (*)
2005-12-23 Includes\Keyloggers.sbi (*)
2005-12-23 Includes\Malware.sbi (*)
2005-12-23 Includes\PUPS.sbi (*)
2005-12-23 Includes\Revision.sbi (*)
2005-12-23 Includes\Security.sbi (*)
2005-12-23 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2005-12-23 Includes\Trojans.sbi (*)

I removed the coolwwwsearch several times, but it keeps coming back.
The Command Service i cant get rid of. Not even manually or safe mode.

Hijackthis:
----------
Logfile of HijackThis v1.99.1
Scan saved at 14:44:43, on 28/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\WobinD\Bureaublad\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
The R0-R1 are also deleted several times, but keep coming back. Teatimer keeps showing messages. (i told to blacklist those entrys)

Wobin
2005-12-28, 16:07
Kaspersky:
----------
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 28, 2005 15:04:18
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/12/2005
Kaspersky Anti-Virus database records: 167975
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 37191
Number of viruses found: 19
Number of infected objects: 78
Number of suspicious objects: 0
Duration of the scan process: 1458 sec

Infected Object Name - Virus Name
C:\!KillBox\ssldr32.dll Infected: Trojan-Proxy.Win32.Agent.hs
C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\21LEVEHK\kl[1].txt Infected: Trojan-PSW.Win32.Agent.bu
C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\21LEVEHK\paytime[1].txt Infected: Trojan.Win32.StartPage.agp
C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\FU8FBPCD\ms1[1].txt Infected: Trojan-Downloader.Win32.Tiny.al
C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\S75JAQ3X\hosts[1].txt Infected: Trojan.Win32.Qhost.el
C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\TVJZ1LKE\mng[1].exe Infected: Trojan-Proxy.Win32.Agent.hs
C:\Documents and Settings\WobinD\Local Settings\Temporary Internet Files\Content.IE5\TVJZ1LKE\tool2[1].txt Infected: not-virus:Hoax.Win32.Renos.aj
C:\Documents and Settings\WobinD\Mijn documenten\Firefox_dl\TMPGEnc.Plus.2.524.63.181_CRKEXE-FFF.exe/run.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Documents and Settings\WobinD\Mijn documenten\Firefox_dl\TMPGEnc.Plus.2.524.63.181_CRKEXE-FFF.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll Infected: Trojan-PSW.Win32.Agent.bu
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Infected: Trojan-PSW.Win32.Agent.bu
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll Infected: Trojan-PSW.Win32.Agent.bu
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\Program Files\Norton AntiVirus\Quarantine\09DB379F.exe Infected: Trojan-Dropper.Win32.Small.ahg
C:\Program Files\Norton AntiVirus\Quarantine\09F50783.txt Infected: Packed.Win32.Klone.b
C:\Program Files\Norton AntiVirus\Quarantine\12CF59C5.dll Infected: Trojan-Downloader.Win32.Small.bug
C:\Program Files\Norton AntiVirus\Quarantine\27C831D4 Infected: Trojan-Dropper.Win32.Small.ahg
C:\Program Files\Norton AntiVirus\Quarantine\29603212 Infected: Packed.Win32.Klone.b
C:\Program Files\Norton AntiVirus\Quarantine\33192B60 Infected: Packed.Win32.Klone.b
C:\Program Files\Norton AntiVirus\Quarantine\33DD0288 Infected: Trojan-Downloader.Win32.Adload.l
C:\Program Files\Norton AntiVirus\Quarantine\33E02C85 Infected: Trojan-Dropper.Win32.Agent.aed
C:\Program Files\Norton AntiVirus\Quarantine\393A789F Infected: Trojan.Win32.Pakes
C:\Program Files\Norton AntiVirus\Quarantine\42A22A7F Infected: not-a-virus:Downloader.Win32.WinFixer.b
C:\Program Files\Norton AntiVirus\Quarantine\45467AF4 Infected: Trojan-Dropper.Win32.Agent.aed
C:\Program Files\Norton AntiVirus\Quarantine\4AEE017C Infected: Trojan-Downloader.Win32.Qoologic.at
C:\Program Files\Norton AntiVirus\Quarantine\6D910A4A Infected: Trojan-Downloader.Win32.Adload.j
C:\Program Files\Norton AntiVirus\Quarantine\73721AA0 Infected: not-a-virus:Downloader.Win32.WinFixer.b
C:\Program Files\Norton AntiVirus\Quarantine\76736D1B Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003067.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003078.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003079.exe Infected: not-virus:Hoax.Win32.Renos.aj
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003084.exe Infected: Trojan-Downloader.Win32.Tiny.al
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003085.dll Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003086.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003087.cpl Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003136.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003137.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003223.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003226.dll Infected: Trojan-Downloader.Win32.Small.bug
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003260.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003261.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003270.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003271.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP30\A0003272.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003636.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003637.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003638.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003702.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003703.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP39\A0003704.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP40\A0003767.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP40\A0003768.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP40\A0003769.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0003783.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0003784.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0003785.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004243.exe Infected: Trojan-Downloader.Win32.Qoologic.at
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004274.dll Infected: Trojan-Downloader.Win32.Small.bug
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004279.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004280.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004281.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004290.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004291.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004292.exe Infected: not-virus:Hoax.Win32.Renos.aj
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004293.exe Infected: Trojan-PSW.Win32.Agent.bu
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004295.exe Infected: Trojan-Downloader.Win32.Harnig.ax
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP41\A0004304.exe Infected: Trojan-Downloader.Win32.Adload.l
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP43\A0004441.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP43\A0004442.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP43\A0004444.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP43\A0004451.exe Infected: Trojan-Dropper.Win32.Agent.aed
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP43\A0004455.dll Infected: Trojan-Proxy.Win32.Agent.hs
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP7\A0000802.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\System Volume Information\_restore{7C3362B8-875C-4116-A3CC-4AE028CE66F0}\RP7\A0000802.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\WINDOWS\system32\iiopupp.dll Infected: Trojan-Downloader.Win32.Qoologic.az
C:\WINDOWS\system32\kkemk.dll Infected: Trojan-Downloader.Win32.Qoologic.bd
C:\WINDOWS\system32\paytime.exe Infected: Trojan.Win32.StartPage.agp
C:\WINDOWS\system32\ppiaoa.exe Infected: Trojan-Downloader.Win32.Qoologic.at

Scan process completed.

Wobin
2005-12-28, 22:35
**update**

Kaspersky log
-------------
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 28, 2005 21:34:49
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 28/12/2005
Kaspersky Anti-Virus database records: 168079
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 28339
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 849 sec

Infected Object Name - Virus Name
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616

Scan process completed.

LonnyRJones
2005-12-29, 23:14
Hi Wobin, Welcome

Disable SpybotSD TeaTimer, as it may hinder the removal of the infection.
You can enable it after you're clean.
To disable SpybotSD TeaTimer:
Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Dont turn it back on until we are completely finished.
We dont want it to inter-fear with our fix's.

Fallow the advice in this post and post the logs mentioned when finished.
http://forums.spybot.info/showthread.php?t=1316

when running Ewido while in safe mode do not open any folders or qoologic might reinfect/re-establish itself.

Wobin
2005-12-30, 21:56
Hi LonnyRJones,
thanks for the reply.

Here's my 1st hijackthislog:

Logfile of HijackThis v1.99.1
Scan saved at 19:30:18, on 30/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\WobinD\Bureaublad\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

My smitRam log:
---------------
smitRem log file
version 2.8

by noahdfear

Microsoft Windows XP [versie 5.1.2600]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key
ShudderLTD key not present!

checking for PSGuard.com key
PSGuard.com key not present!

checking for WinHound.com key
WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

svcp.csv

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 820 'explorer.exe'
Killing PID 820 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files


~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN! :)

The "Uncheck "Security Info" or anything similar if present." i don't have. But i deleted the 'secure32' file from my system32 file yesterday. (after a little of reading)
The online pandascan doens't support the autocleaning function... Hower i came up with one 'Spyware detected'
Panda_report:
------------
Adware:adware/popupsandbannersNot desinfected C:\WINDOWS\teller2.chk


Final Hijackthislog:
-----------------
Logfile of HijackThis v1.99.1
Scan saved at 20:54:35, on 30/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\WobinD\Bureaublad\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio]

HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido

anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program

Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common

Files\Symantec Shared\Security Center\SymWSC.exe

Wobin
2005-12-30, 22:06
Since there isn't an 'edit' button...

My spybot s&d seems to hang from time to time. Allways had done on my system. (formatted several times)
It surely hangs while runned in safe mode.

Forgot to mention this.

LonnyRJones
2005-12-31, 06:41
Hi

Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)

====================================
Hit fix checked and close Hijackthis.

Download System Security Suite.
http://www.igorshpak.net/
If that site is unavailable use this link please
http://forums.subratam.org/index.php?act=Attach&type=post&id=25013
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' (except perhaps cookies) tab and click
'Clear Selected Items'. You will be prompted to reboot, do so.

Let us know if SSD still hangs and if so at what detection and which checks your running,

Wobin
2005-12-31, 11:43
Hi,

SSD just hangs randomly. Sometimes on the 115th line, sometimes at 31.158, and so on...

my log:
-------

Logfile of HijackThis v1.99.1
Scan saved at 10:31:32, on 31/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\WobinD\Bureaublad\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Snelkoppeling naar eigenschappenvenster voor High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



And i just noticed my 'image-viewer' doenst work anymore...


Thanks for your help!

LonnyRJones
2005-12-31, 21:03
You log looks fine

Explain the image viewer problem in detail

For the SSD hang, try doing just a spyware scan only.

Wobin
2006-01-02, 13:08
Well, if i double click a jpeg, gif, .... or so, my imageviewer (windows) won't start. It also won t start if i manually double click the .exe file (of imageviewer).
SDD also hangs when doing only a spyware scan... Mostly at the end of the scan.

LonnyRJones
2006-01-03, 00:39
Hi

Try

Enable Picture and Fax Viewer

Go to Start/Run and type: regsvr32 shimgvw.dll or regsvr32 /i shimgvw.dll


As Kelly mentions here http://www.kellys-korner-xp.com/xp_p.htm

tashi
2006-01-07, 21:48
This topic will be archived.
If you need it re-opened please pm me or one of the forum mods.