View Full Version : Multitude of Trojans
Hi all. Thanks in advance for any and all help with this. A couple of months ago my daughter said those famous words "Dad, something’s wrong with the computer!” What I found was a none stop stream of pop-ups that made it virtually impossible to do anything on the system, even after reboot. I disconnected the computer from the net, booted in Safe-Mode, and ran Ad-Aware and Spybot. Among the items found was Network Monitor, Cowabanga, InetGet2, Smitfraud-C.Core Service, Smitfraud-C.Toolbar888, Sporder, and lots of suspicious logs and dlls. The hard drive was full (80 GB). Reading through the forums I have learned that Spybot and Ad-Aware may have removed the components of these, but they are probably still in the registry and need further removal tools.
I finally have installed a larger second hard drive (500 GB) to backup personal files (pics, files, music, etc.). I have used a different computer to download the latest updates from Spybot and Ad-Aware, transferred them over, and re-ran the scans in Safe-Mode. Some items were found again. I would like to make sure that all is well prior to reconnecting the computer to the internet, so I am posting here for help (thanks again!).
I ran HijackThis v1.97.7 twice, once before the updates for Spybot/Ad-Aware, and once after. I read the "Before you post" forum and realized I have an older version (even though I have 1.99.1, somehow I ran the older one), so I also re-ran it with v1.99.1 in Safe-Mode. I will list the outputs in separate posts. Sorry for the long post, but I wanted to make sure I gave you all the details.
Thanks again for the help. Here we go....
Here's the first HijackThis v.1.97.7 log:
Logfile of HijackThis v1.97.7
Scan saved at 12:00:21 AM, on 07/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://smetsys.net/
O2 - BHO: (no name) - {011b2e14-4947-495d-8832-132752cc6f34} - C:\WINDOWS\system32\CTInDAL.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [IATA InstallSecondPass] C:\WINDOWS\system32\rundll32.exe IPrtCnst.dll,InstallSecondPass C:\WINDOWS\inf\oem48.inf
O4 - HKCU\..\RunOnce: [DiscWizard for Windows] C:\Program Files\DiscWizard for Windows\dwwin.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38116.7827546296
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/get/flashplayer/current/swflash.cab
Here's the second HijackThis v.1.97.7 log:
Logfile of HijackThis v1.97.7
Scan saved at 12:13:24 AM, on 07/07/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://smetsys.net/
O2 - BHO: (no name) - {011b2e14-4947-495d-8832-132752cc6f34} - C:\WINDOWS\system32\CTInDAL.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [IATA InstallSecondPass] C:\WINDOWS\system32\rundll32.exe IPrtCnst.dll,InstallSecondPass C:\WINDOWS\inf\oem48.inf
O4 - HKCU\..\RunOnce: [DiscWizard for Windows] C:\Program Files\DiscWizard for Windows\dwwin.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38116.7827546296
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/get/flashplayer/current/swflash.cab
Here's the log from the v1.99.1 scan:
Logfile of HijackThis v1.99.1
Scan saved at 05:09:52 PM, on 07/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smetsys.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {011b2e14-4947-495d-8832-132752cc6f34} - C:\WINDOWS\system32\CTInDAL.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [DiscWizard for Windows] C:\Program Files\DiscWizard for Windows\dwwin.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CTInDAL.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CTInDAL.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: CTInDAL - C:\WINDOWS\SYSTEM32\CTInDAL.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PBKNTService - Unknown owner - C:\Program Files\FileStream\Photo TurboBackup\PBKNTService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Hello.
Because of the amount of posts in your thread, helpers probably thought you were already being assisted. ;)
The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)
shelf life
2007-07-24, 02:29
hi SBDad,
that last hjt log looks ok. i only question one item, this .dll:
CTInDAL.dll
located in the system32 dir:
C:\WINDOWS\system32
-----------------------
we can get it checked out. you might have to do this first to show all files:
1. Right click on Start > Explore > Tools > Folder Options > View.
2. Under "Files and Folders" check the radio buttons for:
3. "Show hidden files and folders", and
4. uncheck "Hide extensions for known file types", and
5. uncheck "Hide protected operating system files (recommended)" > click "Yes" to the pop-up window > and then click "OK."
---------------------
navigate to the system32 dir and see if you can find:
CTInDAL.dll
once you locate it you can go to this website:
http://www.virustotal.com/
using the browse button locate the .dll again, double click it, then click send file button it will be uploaded and scanned. you can copy/paste the results into notepad, save them then post the results back here.
if that site is busy, you can try this web site also:
http://virusscan.jotti.org/
also you could go here:
http://www.norman.com/microsites/nsic/Submit/en-us
use my email:
echoreply(at)hotmail.com
browse and upload the file.
-----------------------------------
shelf life
Hi shelf life. Thanks for the reply and help. The computer that is/was infected is currently disconnected from the internet. Would it be ok to copy the CTInDAL.dll file to a flash drive and use a different computer to perform the requested tasks, or would that put that computer at risk of infection as well?
Thanks again for the help!
shelf life
2007-07-24, 23:08
hi SBDad,
if it was any other .dll i would say go ahead and copy it to a computer that has a internet connection, but since this is a winlogon dll which incorporates itself into windows winlogon process, better forget moving it to another computer. just to be safe anyway.
i cant find any reference to it, and to boot its a BHO-- so i say we get rid of it. we can use hjt:
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {011b2e14-4947-495d-8832-132752cc6f34} - C:\WINDOWS\system32\CTInDAL.dll
---------------------------
restart hjt and this time click on "open misc tools section"
then "delete a file on reboot"
copy/paste in the File Name window: C:\WINDOWS\system32\CTInDAL.dll
click open, at the prompt to reboot select yes. after the reboot rescan and post a new hjt log.
shelf life
Hi shelf life. Thanks again for the help. I was trying to learn what items you were looking for in the hjt log (http://www.spywareinfo.com/~merijn/htlogtutorial.php; just curious, I'll still asked you and the rest of the experts for help :-) to see if I could learn what the items are and I see that the .dll shows up a couple of times in the log:
O2 - BHO: (no name) - {011b2e14-4947-495d-8832-132752cc6f34} - C:\WINDOWS\system32\CTInDAL.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CTInDAL.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CTInDAL.dll
O20 - Winlogon Notify: CTInDAL - C:\WINDOWS\SYSTEM32\CTInDAL.dll
Should I fix the other line items as well?
Also, should I fix the R3 object too?
Thanks again for the help shelf life and have a great day!
Hi shelf life. For some reason I'm not allowed to edit my posts, so I could fix my previous post. I re-read your post and missed the R3 comment and wanted to delete my question on it (and remove the ; from the end of the Merijn link). Sorry. Thanks again for the help!!
shelf life
2007-07-28, 00:15
hi SBDad,
do you have a usb flash drive or even a floppy to transfer a file to the computer in question?
file size is 106KB. this looks like vundo but i cant find any reference to that .dll and vundo is very popular these days as malware. normally vundo shows the same .dll as a BHO and winlogon.
if you can get vundofix on the computer do this:
download and run vundofix.exe:
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
if you cant get vundofix on the computer or it dosnt work we will try something else.
---------------------------------
after you see these logs for awhile you learn what needs to go or what looks out of place. a hjt log really displays stuff that you can find on your computer, the difference is it puts it in a nice log.
check my website:
http://security-central.us/SafeHex/steps.htm
hjt log references:
http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm
http://bcheck.scanit.be/bcheck/page.php?name=HIJACKED&page=3
http://forums.majorgeeks.com/showthread.php?t=38752
shelf life
This topic has been moved to archives. :)
If you need the thread re-opened, please send me a private message (pm) and provide a link.
Applies only to the original poster, anyone else with similar problems please start your own topic.
Hi shelf life. Sorry, I was out of town for a couple of weeks and couldn't try your suggestions on the computer in question. I followed the steps you listed below as follows:
■ Downloaded VundoFix V6.5.7 by clicking on the link provided and copied it to a USB drive.
■ Booted the computer w/issues to Safe Mode, logged in a Adminstrator, and copied VundoFix V6.5.7 to hard drive.
■ Ran VundoFix V6.5.7.
■ Once the 'Done Searching for files.' box came up, clicked 'OK'.
■ A box stating 'Done Search for files. No infected files were found.' came up. Clicked 'OK'.
■ Clicked 'Remove Vundo' anyways, then a box stating 'No files were found, VundoFix V6.5.7 will now close.' Clicked 'OK'.
■ Rebooted computer to Safe Mode and logged in as Adminstrator.
■ Copied C:\vundofix.txt to USB drive.
■ Ran hjt v1.99.1 and copied results to USB drive.
--------------------
Here's the vundofix.txt results:
VundoFix V6.5.7
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 09:48:29 PM 08/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
--------------------
Here's the new hjt log results:
Logfile of HijackThis v1.99.1
Scan saved at 10:02:12 PM, on 08/12/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smetsys.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {011b2e14-4947-495d-8832-132752cc6f34} - C:\WINDOWS\system32\CTInDAL.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [DiscWizard for Windows] C:\Program Files\DiscWizard for Windows\dwwin.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CTInDAL.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CTInDAL.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs:
O20 - Winlogon Notify: CTInDAL - C:\WINDOWS\SYSTEM32\CTInDAL.dll
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PBKNTService - Unknown owner - C:\Program Files\FileStream\Photo TurboBackup\PBKNTService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--------------------
I forgot to remove the R3 item, maybe this can be done on during one of the next things to do. Thanks again for the help with this shelf life. Looking forward to any other things to try. Have a great week!
shelf life
2007-08-14, 04:54
hi SBDad,
lets try this:
start up vundo. right click in the window-- a window will popup saying add files. copy paste in the new window:
C:\WINDOWS\SYSTEM32\CTInDAL.dll
then click on add files. back at the main vundo window, click on remove vundo.
i think thats right, iam in linux right now and am doing it from (a bad) memory.
after computer reboots rerun hjt and have it fix these:
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {011b2e14-4947-495d-8832-132752cc6f34} - C:\WINDOWS\system32\CTInDAL.dll
shelf life
Thanks shelf life. When I rerun hjt and fix the items you listed should I also fix these as well:
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CTInDAL.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CTInDAL.dll
O20 - Winlogon Notify: CTInDAL - C:\WINDOWS\SYSTEM32\CTInDAL.dll
After the hjt fixes rerun hjt and post the new log correct?
-------------------
Also, I meant to ask if I need to update Java because of the VundoFix statement "Java version is 1.4.2.5. Old versions of java are exploitable and should be removed."? (I know, one thing at a time, but I wanted to ask before my bad memory forgot :-)
-------------------
I will try this tomorrow when I get home. Thank you again very much for your help with this have a great night!
shelf life
2007-08-14, 12:08
hi SBDad,
yes correct, use vundo first then select those three items in hjt and "fix" them. reboot computer. then rescan and post anew hjt log. once the computer is back on line you can take care of java. you are also a service pack behind. windows xp is up to service pack 2. also once on line a online scan would be good and dont forget to update your antivirus and spybot.
shelf life
Hi shelf life. Sorry, was away from home for longer than expected. I followed your instructions below, here's what I did:
■ VundoFix V6.5.7. I figured it out by your instructions, they were really close to what you do in WinXP as compared to what you see in Linux.
Open up VundoFix,
right click in window, box pops up 'Add more files?',
paste file location into the top box (there's 6 of them; C:\WINDOWS\SYSTEM32\CTInDAL.dll),
click 'Add File(s)' once,
click 'Close Window'
click 'Remove Vundo'
■ After clicking 'Remove Vundo', a box came up that stated 'C:\WINDOWS\system32\CTInDAL.dll could not be deleted, VundoFix will load on reboot to attempt removal. Please Click Remove Vundo once your machine has rebooted.'. I then clicked OK, and this box came up 'Click OK to reboot your computer!'. Clicked OK and computer rebooted.
■ Once the computer rebooted (Safe Mode), VundoFix came up. Clicked 'Remove Vundo', then this box came up 'Click OK to reboot your computer!. Clicked OK and computer rebooted.
■ Once the computer rebooted (Safe Mode), ran hjt and it found only 3 of the 5 items we were originally looking at (the O2 on O20 items were gone). Fixed the R3 and O9 items and reran hjt.
■ I will post the logs below.
-------------------------------------
here's the VundoFix log:
VundoFix V6.5.7
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 09:48:29 PM 08/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\system32\CTInDAL.dll
C:\WINDOWS\system32\CTInDAL.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\CTInDAL.dll
C:\WINDOWS\system32\CTInDAL.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\CTInDAL.dll
C:\WINDOWS\system32\CTInDAL.dll Has been deleted!
Performing Repairs to the registry.
Done!
-------------------------------------
here's the hjt log after the fixes (I also saved the log prior to the fixes if you need to see that too):
Logfile of HijackThis v1.99.1
Scan saved at 11:32:28 PM, on 08/18/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smetsys.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [DiscWizard for Windows] C:\Program Files\DiscWizard for Windows\dwwin.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs:
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PBKNTService - Unknown owner - C:\Program Files\FileStream\Photo TurboBackup\PBKNTService.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
-------------------------------------
How's it looking now?
Thanks again shelf life for your patience and checking when I posted, sometimes quite a bit later. Have a great weekend!:D:
shelf life
2007-08-21, 01:38
hi SBDad,
ok good thanks for the update. that .dll is gone from the log. i would say its safe to connect it to the internet if you havent already and update your av and spybot. a link to a on line scan:
F-secure scan:
http://support.f-secure.com/enu/home/ols.shtml
click on the "start scanning button" near bottom of page.
click to accept/install the ActiveX applet,Click Full System Scan
Once the download completes (may take awhile),the scan will begin automatically.
The scan will take some time to finish.
When the scan completes, click the Automatic cleaning (recommended) button.
--------------------
shelf life
Thanks shelf life!
Yesterday I figured I could go ahead and perform some other tasks that needed to be done without an internet connection, so I booted in Safe Mode and did a disk check on the C: drive followed by several defrags. (Since the drive was filled up by the crapware, I finally got around to installing a second larger drive (500 GB) way back when this thread started and backed up all of the personal files (excel, word, pics, etc.) to the new drive back then.) After removing/moving all of the files the C: drive was pretty fragmented so it took a few defrags to get it in nice shape.
My old copy of Norton AV is won't let me update it anymore without a new license, and ZA was out of date, so I purchase a fresh new copy of ZA Security Suite and will load that.
Is there any particular order I should perform the following tasks?
· Install Zone Alarm Security Suite
· Connect to internet
· Update Spybot and Ad-aware
· Update WinXP, and Office 2000/XP
· Update Java
· Perform online scan using F-secure scan
Once I’m done with this computer I think I’m going to post a hjt log for each of my two laptops (of course in a new thread for each) as they getting are pretty slow (although these have up to date AV, Spybot, Ad-aware, and ZA). Maybe I’m overlooking a couple of issues with them too.
Thanks again for all of the help shelf life and have a great week!!
shelf life
2007-08-22, 03:03
hi SBDad,
that order looks fine to me. wow a 500 gb hd, thats huge.
thats the all-in-one suite firewall, antivirus etc?
shelf life
Yep, it’s a Seagate 500 GB. I got it for a pretty good price on sale too. It was maybe $25 US more than a 250 GB at the time. I figured with all of the pictures and music I should get them all off of the primary 80 GB drive anyways. It took some time getting XP and the BIOS to recognize the full size of the drive though, XP would only recognize 128 GB. I had to update the BIOS, install a XP MS Hotfix to update the Atapi.sys driver, rerun the Seagate DiskWizard again to reboot and enable support for drives over 137 GB, and then rerun Seagate DiskWizard and reformat the drive. After all that I still had to install an Intel Chipset S/W Installation Utility to install the Intel Application Accelerator so the full 500 GB could be used, whew (as sweat drips off of the brow! :-).
Yes, the ZA package is the all-in-one. It’s ZoneAlarm Internet Security Suite 2007. It has, as the box lists, “Antivirus, Anti-Spyware, Network & Program Firewall, Operating System Firewall, Identity Theft Protection, Parental Control, Anti-Spam & More!”.
I forgot to ask, I vaguely remember that somewhere you can see what services and startup items are running and post/check somewhere a list (similar to hjt) and get advice on the stuff that’s running to remove items that really don’t need to be running. I guess this will help speed up the performance of the computer too. Any ideas on this? This computer seems to be slow compared to when I first got it 4 yrs ago, it’s a 1.9 GHz 400 MHz sidebus with 128 MB of RDRAM (yeh I know, more memory, but that RDRAM is too expensive, damn Dell :-). You would think that it’s still a pretty viable system.
I am going to do the items listed in the previous post today. Fingers-crossed!! I’ll post the results of the F-secure scan after that’s complete (sorry for the long post).
Thank you so much ago shelf life for all of the help with this computer. I don’t think I would have been able to get it running again without your help. :bigthumb:
shelf life
2007-08-22, 23:40
hi SBDad,
you should be set with that drive. what a pain to get it recognized.
i would look thru the add/remove program panel and uninstall anything you dont use. commercial computers come with plenty of bloatware on them.
to help control what starts up, you can use msconfig:
http://netsquirrel.com/msconfig/
http://www.help2go.com/Tutorials/Windows/Disable_Programs_Running_at_Startup.html
-------------------------
many services which are enabled by default are not needed and can be disabled:
http://www.blackviper.com/
http://www.beemerworld.com/tips/servicesxp.htm
only disable afew at a time and remember which ones, reboot and use computer normally for awhile to make sure you dont lose any functionality.
this might prove useful to you:
http://www.yorkspace.com/2006/04/38
shelf life
Re-opened upon request. :)
Hi shelflife. Sorry for the long delay. After installing ZA Security Suite, I tried to connect to the internet to update everything else, but couldn't get out (and it wasn't ZA as I shut it down and still couldn't connect). It took awhile to find out the cause. Ipconfig had an error about a file missing, which MS's pages stated a reload was needed. I found in Dell's forums something on the error that fixed it, but then another popped up about the DHCP client and dependancy service. I checked MS and Dell's sites but there was no info on this. Finally I googled the error and found out that even though I removed Norton AV, it still had it's tenticles on the system. Here's the link to the fix, hopefully it might help someone else out: http://www.winforums.com/showthread.php?t=9587 & http://www.bl.com/moshe/text/quiddities/norton_errors.html.
Anyways, back to the virus/spyware removal. Once I was able to reconnect to the internet, I updated ZA, Spybot, and Ad-aware. I ran several scans with each until all found no baddies. I then updated WinXP, Office 2k/XP, and Java. I then reupdated ZA, Spybot, and Ad-aware and ran several more scans until clean. I also cleaned up some of the services and startups to try and speed it up a little. I then performed the online scan with F-secure scan, it found two issues, although when I clicked on Auto clean it changed to nine, but then back to two. I also ran another hjt.
****************************************
Here's the Scanning Report from F-secure:
F-Secure Online Scanner 3.1.5 - Scanning Report - Friday, October 05, 2007 07:45:42Scanning
Report
Thursday, October 04, 2007 18:02:58 - 07:45:18
Computer name: xxxxxxxx
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\ D:\
Result: 2 malware found
Tracking Cookie (spyware)
System (Disinfected)
Trojan-Downloader.Win32.PurityScan.cr (virus)
C:\PROGRAM FILES\?DOBE\WUAUCLT.EXE
Statistics
Scanned:
Files: 183790
System: 6130
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION
DATA\MICROSOFT\CRYPTO\DSS\MACHINEKEYS\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-10-04
F-Secure AVP: 7.0.171, 2007-10-04
F-Secure Orion: 1.2.37, 2007-10-04
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0598-150-72
F-Secure Pegasus: 1.19.0, 2007-09-02
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF
VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI
MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0
TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT
MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR
BZ2 HQX
Use Advanced heuristics
****************************************
Here's the hjt log:
Logfile of HijackThis v1.99.1
Scan saved at 04:54:17 PM, on 10/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs:
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
****************************************
Thanks again for the help with this shelflife and have a great weekend!
shelf life
2007-10-06, 00:07
hi SBDad,
its been awhile. that latest hjt log looks ok as far as malware goes. norton can be a pain to remove. they do provide a "complete" uninstaller at there website.
you have it under control now?
shelf life
Hi shelflife. Yea, it took a bit to try and figure out why I couldn't connect, and not to do the drastic reload of XP. So, you think it's ok now? Safe to use on the internet again?
Thanks again!
shelf life
2007-10-06, 00:40
hi SBDad,
yes it looks ok. the best thing you can do is learn what to protect yourself from. actions to avoid. have a look at my prevention tips:
http://security-central.us/SafeHex/prevention.htm
shelf life
Thanks again shelflife. Yep, I've been reading over your pages. Lots of info, good page to direct my family to to understand the whys of good security.
I'm glad that the system is finally clean. Would you be able to tell me why it is running really slow now, and what could I supply to help with that? You can click on anything, whether it's a program, IE, start button, right click on the task bar, etc., and it takes upwards to two minutes before even responding (I've timed it). I tried looking over the running processes and removing items that are not needed, but it still seems like something is eating up the processor. I don't see anything in Task Manager that is causing the delay, but then again TM takes so long to come up that it might not even register the delay.
Thanks again for all of the help cleaning the system up and patiently reviewing the scans and answering the questions, sometimes months in delay. Have a great week!
shelf life
2007-10-10, 00:46
hi SBDad,
slow computer: is spybot finding/ cleaning anything after a scan? do another scan with hjt and post the log. also lets try running combofix to see if it can dig up anything:
Please download ComboFix (by sUBs) from one of the following links:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Save it to the Desktop.
Double-click combofix.exe and follow the prompts.
CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.
When finished, it produces a log.
Please provide the contents of the ComboFix log in your reply and a new hjt log.
glad you enjoyed my web site, its a very rare event to get any feed back on it.
shelf life
Hi shelflife. I found out something today. Spybot only scans for the user that is logged in at the moment. My account is the admin for the computer (but not the Admin account under Safe Mode), and I did all of the scans et.al. while I was logged into my account. Your post got me thinking that I should log in as my daughter and rerun Spybot. Sure enough, even though while I was logged into my account it was 'clean', running the scan under her account found AdRevolver, BlueStreak, BurstMedia, CurePCSolution, DirectTrack, MaxFiles, Mediaplex, ReliableStats, Statcounter, TagASaurus, Tradedoubler, Virtumonde, Win32.Agent.qt, Win32.ConHook.ah, and Win32.Small.ddx.
One note, the computer has not been used since it was infected, and the only webpages visited during your help and up to now has been ZoneAlarm, MS Updates (both XP and Office), Spybot updates, Ad-aware updates, Java updates, and F-Secure (this doesn't mean the baddies in the background haven't been sneeky though).
I haven't downloaded Combofix yet, but I figured I'd give you a quick update and see what steps I should follow since there are four users, plus the Admin account. I would suspect that I have missed a few things.
Thanks again for everything! :oops:
shelf life
2007-10-12, 02:37
hi SBDad,
hold off on combofix for now. lets see what spybot can dig up. i found this from a thread
looks like scanning each user account would be a good idea. malware in other accounts could explain the slowness you have been experiencing.
the thread:
"It should also be noted that if you use an alternate user account for scheduling purposes, you should periodically scan from your regular user account as well as any other user accounts on the system.
Although the entire system is scanned for most malware, because of restrictions in the Microsoft APIs (Application Program Interfaces) used by Spybot, the scan from one account does not include the Internet cache, cookies and some other user specific entries of other accounts."
__________________
shelf life
Thanks shelflife. I am in the process of scanning each user account. We'll see what we can get rid of on each. Sorry for the ommission on the user accounts. I'll post back soon. Thanks again!
P.S. Maybe whatever is still hiding on the system is now causing the HP Image Zone software for my daughters digital camera to keep asking for a CD labeled '1' to be inserted; this started aftered all of the cleaning and the updates (or maybe it just needs reloading because of the updates, I'm checking HP's site)...
Hi shelflife. Well, I posted a reply but for some reason it didn't post, so hopefully this isn't a repeat (maybe the forum timed out, man hopefully I remembered what I originally wrote). Anyways, thank you very much again for the ongoing work on this issue. I've scanned all of the user accounts on the system. Here's a synopsis of what was done:
o Scanned each user account with Spybot, Ad-aware, and ZA. No issues were found on my account and my daughters, but the other two user accounts had numerous items found. Removed items as they were found.
o After I was done removing the items with each scan in each user account, I went into Internet Options - Temporary Internet Files and clicked Delete Cookies and then Delete Files for each user; I also went into Settings and reduced the Disk Spaced used to 350 MB.
o I also used the Cache Cleaner in ZA to further clean up the drive.[INDENT]
o I updated SB, AA, and ZA, and rescanned each user with SB, AA, and ZA, further removing any other items found.
[INDENT] o I also again performed Delete Cookies, Delete Files, and used the Cache Cleaner in ZA for each user as outlined above.[INDENT]
o I unplugged the network cable from the router. Rebooted the system. Rescanned each user with SB, AA, and ZA account until no more items found.
[INDENT] o I also again performed Delete Cookies, Delete Files, and used the Cache Cleaner in ZA for each user as outlined above.[INDENT]
o Booted to Safe Mode and logged into the Admin account. Scanned with SB and AA, no items found. Could not start ZA to scan or use the Cache Cleaner (maybe some of the drivers/dlls/etc that it uses are not started in SM).
[INDENT] o Also performed Delete Cookies, Delete Files and reduced the Disk Spaced Used to 350 MB (as outlined above) for the SM Admin user.
o Since I was already in SM, performed Disk Check on D drive and scheduled Disk Check for C drive. Rebooted to allow Disk Check to run for C drive.
o Rebooted to SM. Performed Defrag on D drive and C drive.
Whew. Now that all that has been done, booted system back up normally to my user account. System is still running slow. Still did not reconnect to router yet for safety. What should be the next course of action? I didn't post a new hjt log yet and I wanted to make sure what you needed. Thanks again shelflife for sticking with this long process of help. Take care and have a great week!
shelf life
2007-10-23, 04:10
hi SBDad,
from what you done and the results, looks like you can reconnect it to the router and the internet. a good tool for keeping temps cookies etc cleaned up is atfcleaner, i may have suggested it before but i cant recall:
http://www.atribune.org/content/view/19/2/
---------------------------------------
post another hjt log for another look since its been so long.
shelf life
Hi shelflife. The system was a little slower than normal, but as soon as I connected the router back up to it, man it's at a crawl now. Here is the hjt log from my user account. Should I run hjt for each user?
---------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 07:37:46 AM, on 10/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs:
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\DOCUME~1\Brian\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
---------------------------------------------
Thanks again. Have a great week!
shelf life
2007-10-25, 01:02
hi SBDad,
scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
for the slowness, you can try disabling spybots tea timer. it runs in the background if enabled. see if that helps.
is your norton antivirus active? you see the icon and can update/scan with it? i only ask because i dont see a service running in the 023 items list.
shelf life
Hi shelflife. Sorry, been away on business again, much to the dismay of my daughter who is itching for the computer again.
Aways, I followed your instructions below this weekend. I fixed the two items. Norton is not active on this system; I have removed it, but as you know, it doesn't go away easily (it was one of the problems I was having with ZA's antivirus not running). Here's the hjt log after the fixes were done:
*************************************
Logfile of HijackThis v1.99.1
Scan saved at 08:21:23 PM, on 11/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\PackethSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\HijackThis\Scan.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: AOL Companion.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190949702406
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O20 - AppInit_DLLs:
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\DOCUME~1\Brian\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
*************************************
I was wondering if I should fix these as well:
O20 - AppInit_DLLs:
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\DOCUME~1\Brian\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
Thanks again shelflife!
P.S. Hi tashi. Thanks for asking before moving it to the archives. Is there a way to save the entire thread to a text file or something once we're done? I learned a lot with shelflife's help (THANKS!!) during this process and would like to save a record of what we did so I can remember later. Thanks again!
shelf life
2007-11-10, 22:47
hello again,
Norton is not active on this system; I have removed it, i dont see any signs of it in the hjt log. norton does have a "clean tool" that will remove norton products:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
in any case you need to get another av installed quiclky.
heres one:
http://free.grisoft.com/doc/2/
I was wondering if I should fix these as well:
O20 - AppInit_DLLs:
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\DOCUME~1\Brian\LOCALS~1\Temp\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
yes you can have hjt "fix" those two.
shelf life
Thanks shelflife. I am using ZoneAlarm's AV, is this ok or should I try a different one?
When I tried removing those two line items, I received the following error:
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=020 - AppInit_Dlls: )
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
What should I do next?
Thanks again and have a great week!
shelf life
2007-11-14, 03:38
hi,
my mistake you can leave this:
O20 - AppInit_DLLs:
its ok, dosnt point to anything.
shelf life
Hi shelflife. I reconnected the system to the internet. I still takes what seems like forever to do anything. It took about 5 minutes just to boot up. When you try to run any program it still takes a lot of time before it opens, then once it is open it is really slow. I have made sure SB, AA, & ZA were all up-to-date, and I am currently running SpyBot scans on each user, then I will rescan with Ad-aware on each, then just to make sure I haven't missed anything, I'll rescan with the AV/AS in ZoneAlarm on each.
Since each user has their own user specific entries in MS and you really need to treat each user as a different entity/computer, does hjt have the same issue, meaning should I run a hjt scan for each user account?
I will post a new hjt scan (or one for each user if needed) when the scans are done.
Thanks so much again for all of the help. Have a great day!
shelf life
2007-11-29, 00:23
hi SBDad
its been awhile. i think that hjt will only display certain things that would be different for each user, like info it gets from my documents/application data.
go ahead and post the logs for each user account so we can see what they look like.
as for the long bootup and slowness, i dont see anything in the last hjt log. a hjt log is really only for evidence of malware which might show or might not show in the log. unless you have a bad case of malware or a long list of 04 items, then diagnosing a sluggish computer is difficult and really just becomes suggestions to try. maybe a reformat is in order, can do wonders.
shelf life
Hi shelflife. I got that nv4_disp.dll BSoD error yesterday. Long story short, after reading what seemed like hundreds of posts/webpages on this, seems like the nVIDIA driver(s) has an issue with WinXP SP2 and nVIDIA is silent on the issue (for something like 4 or 5 years now). Anyways, there are many ways to have the problem happen, and maybe mine was due to taxing the card a little too much at startup.
BTW, I have been posting hjt logs using v1.99.1, but I noticed the sticky that stated to use v2.0.2. Which would you like me to use?
Thanks again!!!
shelf life
2007-12-04, 01:05
hi,
its been awhile.
dosnt sound good:
I got that nv4_disp.dll BSoD error
did you poke around the Nvidia website?
you might also get some info by searching there forum:
http://forums.nvidia.com/index.php?act=idx
taxing the card a little too much at startup
how are you doing that?
I have been posting hjt logs using v1.99.1
v.1.99.1 is fine with me. if you want to you can get and use the tendmicro version.
shelf life
I got that nv4_disp.dll BSoD error
did you poke around the Nvidia website?
you might also get some info by searching there forum:
http://forums.nvidia.com/index.php?act=idx
Yep. Looked there and they are pretty silent on the whole fiasco (so is Dell; their tech support just tells users to format and reload the software which doesn’t fix the issue, just delays it a little before it comes back). Found better luck scroogling it (see, I do look at your links! :-)
Looks like this error has been around for at least five years and typically happens after an update to WinXP SP2 if you have an nVidia card, and it doesn't help if you have a Dell, especially with their OEM mods to s/w and drivers. Various things can cause it and/or a combination of them; low memory, outdated driver, corrupted driver, etc. Happens with most nVidia cards as well, even newer ones.
taxing the card a little too much at startup
how are you doing that?
I had just booted up the system and didn't pay attention that it wasn't fully booted yet. Tried to open web page and was generally looking around the system. Since ZA, SB, and a few other things were still in the process of starting (the system now takes around 5 - 10 minutes to fully boot), it was using quite a bit of memory. This looks like what might have triggered the BSoD in regards to the nVidia driver. This is a Dimension 8200 @ 1.9 GHz with 256 MB of RDRAM (damn Dell for using memory that's so freaking expensive even when it's not being really used in anything anymore; it’s almost cheaper to buy a new system than put more memory in this one) and has an nVidia 64 MB GeForce2 MX w/TVOUT card. Reading through most posts/webpages, it seems like the best fix to the nv4_disp.dll fix is to go out and buy an ATI card.
Anyways, sorry to go off on a tangent to the subject of this thread. I’ll post those four hjt logs this week. Is there any difference between using Merjin’s v1.99.1 or TrendMicro’s v2.0.2? Better scans on one vs. the other? Thanks again for all of the help!
shelf life
2007-12-06, 04:44
hi,
5-10 minutes to bootup is a long time. adding another stick of 256MB RAM would do wonders for the computer overall performance.
you dont have to buy memory from Dell. there are several online sites where you just put in the make/model and they will tell you what you need to get. adding memory is one of the least expensive and easiest thing to do to boost overall performance.
http://www.kingston.com/
http://www.crucial.com/
i think the new trendmicro version show afew more registry RUN items than the old version. either one you want to use is fine.
scroogle is great, you can add it as the default search engine if you use fire fox for browsing.
shelf life